News: New 'Red Flags Rule' focuses on medical identity theft

Beginning August 1, the Federal Trade Commission (FTC) will begin enforcing a rule requiring certain kinds of businesses, including doctors' practices and hospitals, to develop written plans for identifying and responding to warning signs-red flags-of identity theft. And while many health-care providers view the "Red Flags Rule" as another time-consuming, expensive federal mandate they have to follow, ob/gyns who have prepared for it say it need not be either.

More than 8.3 million Americans are victims of identity theft each year, of which the FTC estimates 4.5%, or 373,000, experience medical identity theft-someone pretending to be another person in order to use that person's health insurance.

Steven Kern, a partner in the law firm Kern Augustine Conroy & Schoppmann P.C. in Bridgewater, NJ, explains that compliance with the rule requires a program that will identify and detect relevant red flags and mitigate the consequences of identity theft if it does occur. In addition, red flags programs must be updated periodically and be approved by the business' board of directors, shareholders or-as is the case with most medical practices-senior partner. Businesses found not complying with the rule could face fines or other civil penalties.

The FTC, in its guidelines for complying with the rule, lays out four general categories of warning signs of identity theft. These are: alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious forms of personal identification; and notifications from customers, victims of identity theft, or law enforcement authorities about possible identity theft.

The commission's recommended steps for preventing or mitigating theft include increased monitoring of patient accounts and account numbers to prevent misuse, contacting the payer or law enforcement agencies if theft is suspected, tightening database security, or a combination of these steps.

Naomi Lefkovitz, an attorney in the FTC's division of privacy and identity protection, says businesses do not need to submit their plans to the commission. "If we are called in to investigate a case of identity theft, at that point we would probably ask to see the written program," she explains.

Lori Miller, health information manager and privacy officer for the Grand Lake Health Systems and Joint Township District Memorial Hospital in St. Marys, Ohio, has been providing Red Flag training for staff in the system's hospital and seven affiliated practices, which includes Grand Lake ob/gyn. Grand Lake has produced a one-page "Notification of Suspected Identity Theft" form to be filled out if a staff member suspects a patient isn't who she claims to be.

"We try to make the process as easy as possible for the staff so they don't see it as a cumbersome process, something they don't want to do," explains Miller. "So we've developed this form that basically says 'this is the information that was presented, this is the suspicion I have' that they give to their supervisor. Then it's the supervisor's responsibility to investigate." The form also includes relevant departments, such as medical records, that need to be notified.

Miller says initial anxiety about the rule disappeared as soon as training began. "They're looking at me like, are you crazy? We're already doing this," Miller says. "And I tell them 'yes, you're already doing this, but now we're giving you the formal mechanism that if you think something looks suspicious you need to tell us.' And they're like, 'I just have to fill out this form? That's not such a big deal."'