Identity Theft Compliance for Healthcare Providers
January 11, 2009
Technology dominates our daily existence more than ever. From online banking, to Internet shopping, to web-based applications, to electronic patient records, we depend upon technology personally and professionally. Much of this electronic data contains information we would not want to share with a large population. In the wrong hands, some of this information could allow an unscrupulous individual to steal our identities.
In order to protect identities, the Federal Trade Commission (FTC) has issued its Red Flag Identity Theft Rules. Although the deadline for compliance has been amended, healthcare providers will have to comply with the rules by May 2, 2009. To meet this deadline, providers should begin preparing now.
In 2007 the FTC reported over 258,000 complaints of identity theft. Of the top five types of fraud reported, identity theft is number one. A recent survey estimated that three percent of identity theft victims had their personal information used to obtain medical services.
The new Red Flag Identity Theft Rules became effective January 1, 2008, with a compliance date of November 1, 2008. Due to confusion regarding which entities were governed by these rules, an extension was provided to financial institutions, which must now be compliant by May 2, 2009. The Red Flag Identity Theft Rules were developed with the intent to prevent identity theft by requiring financial institutions to establish reasonable procedures to combat this crime. These rules are meant to protect both the consumer and the provider of goods and/or services.
Initially, many healthcare providers questioned whether these new rules applied to them. Since most healthcare providers extend credit or hold consumer accounts (i.e. provide service and bill the consumer/patient), they do fall under the provisions of the new regulations. Some healthcare providers offer bank financing programs to assist patients in paying large balances. Financial Counselors and Patient Accounting staff may access credit reports to validate information provided on Financial Assistance applications, and to assess a patient's assets prior to approving payment plans or charity care applications. These and other revenue cycle activities qualify providers for inclusion under the rules.
Challenges The new rules give providers flexibility in developing their Red Flag Identity Theft programs, allowing them to consider their relative organizational size and complexity in the development of their programs.
However, they must include reasonable policies and procedures that accomplish the following:
Identify relevant Red Flags and incorporate those into the program
Respond appropriately to any Red Flags, in order to prevent and mitigate identity theft
Ensure that the program is periodically updated to reflect changes in risks to customers
Those who have not yet personally reviewed the Red Flag Identity Theft Rules or the associated information that is becoming available on the subject may be wondering what is meant by a "Red Flag". A Red Flag is defined by the regulation as a "pattern, practice, or specific activity that indicates the possible existence of identity theft."
What should you include when establishing a healthcare Red Flag Program? Wolters Kluwer Financial Services recommends the following steps in putting together a solid program: Create a Red Flags Team. Per the regulations, this must consist of the following:
Board of Directors, or a committee of the board, or
An appropriate senior management employee to manage the oversight of the team and the implementation of the program.
Educate the team.
Create a Red Flags project plan.
Conduct a risk assessment to identify your organizational risks.
Take stock of what personal information your organization has in its files, and who has (or could have) access to it.
Determine how much "paper" is maintained as part of your customer transactions, and create a document flow to depict the ways in which paper is handled.
Lock it up. Review security measures for electronic transactions, as well as employee training and vendor knowledge.
Pitch it. Review records retention and disposal policies for all patient-related documentation.
Ensure all personal information is shredded or pulverized, so it cannot be reconstructed by would-be identity thieves.
Determine which of the Red Flags are most relevant to your organization.
Develop reasonable policies and procedures to address Red Flags. The following are some examples of Red Flags in provider organizations:
Identifying or responding to an address discrepancy
Social Security number not valid
Given name doesn't match member Identification Number (ID) or License
Educate staff and patients.
Once the team has been identified and the policies and procedures documented, you will need to train your staff and establish an effective oversight and monitoring mechanism. A communications plan must be developed to ensure everyone is aware of the rules and to provide appropriate feedback to those who need to be reminded. Remedial training should be provided and disciplinary action taken, if necessary.
Insights For most healthcare providers, the Patient Access Department and the Patient Accounting Department will feel the greatest impact of these rules. Patient Access typically has a high staff turnover percentage, which makes training a greater challenge. The following should be included in a program for registration:
How to detect a possible Red Flag
How to respond if a Red Flag is indicated
How to report a Red Flag
Patient Access can implement several processes to detect Red Flags. The first, and most important, is to verify all information with the patient when completing a pre-registration or registration. Be sure to review and make copies of all insurance cards and drivers' licenses (or other form of picture ID) to confirm a patient's identity. Create tools for staff members that help them remember to look and confirm the patient's address, phone number, and the social security number on the account, compared to the ID cards, and other documentation the patient provides in person. There must be a quick and easy protocol enabling staff members to confidentially report instances of possible fraud without creating a confrontational situation with the person seeking care.
Emergency Departments are already one of the highest-risk areas in a hospital, relative to financial exposure, but they also have the highest probability of being victimized by identity theft. Hospitals must ensure they develop a process to review accounts at checkout, and must have a methodology that helps them identify repeat offenders. Communication with the Patient Accounting Department is essential in preventing ongoing fraud.
Tools Numerous software vendors provide tools to help verify a patient's identity and discourage fraud. Many vendors offer address verification software that works in conjunction with the United States Postal Service database, credit reporting agencies, and credit card vendors. This technology allows address verification to occur during all phases of the Patient Access process, and gives the provider the opportunity to stop a possible identity theft prior to services being rendered.
Most healthcare providers today have already implemented processes that could lead to detection of possible identity theft situations, but the new regulations provide better guidelines and encourage the development and/or utilization of tools to better protect our patients. The key is to communicate clearly and consistently with Patient Access, Patient Accounting, and other appropriate provider staff, so they understand what "Red Flags" to watch for, and what to do when they detect something suspicious. Developing communication material that explains your Identity Theft Prevention Program to your patients will also help them feel more comfortable when Patient Access staff members ask for personal identification information. Many patients today do not want to provide their social security information or picture IDs, so providers need to be proactive in furnishing them with information that explains what the provider is doing to help protect them from identity theft.
Summary Compliance with the Red Flag Identity Theft Rules is not optional. Any healthcare provider whose practices may be construed to include extension of credit or holding consumer accounts is obligated to comply with the regulation by May 2, 2009. By initiating and properly implementing your Red Flag Program over the next few months, you will ensure timely compliance and better protection for your patients.
We are pleased to have had the opportunity to provide this information to you. If you have any questions or need assistance in developing a Red Flag Program, please contact either Becky Peters, Consulting Manager, at 970-846-8557 or me at 610-517-1386.
Yours very truly, Kim Hollingsworth Partner IMA Consulting