Editor's note Oct. 30, 2009: The FTC today announced "At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC." Source: FTC
Identity Theft "Red Flags": How Healthcare Providers Can Protect Themselves and Patients from Identity Theft.
On November 9, 2007, the Federal Trade Commission (FTC), along with the banking regulatory agencies, published final rules entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003". Perhaps because health care providers don't ordinarily track actions of the Comptroller of the Currency, the Federal Reserve System and the other bank regulators, it came as a surprise to the health care industry to learn that the FTC thought that hospitals, physicians and other providers could be "creditors" subject to the Red Flags Rule. When the industry did learn of this interpretation, there was great concern.
The American Medical Association and other professional organizations tried for several months to persuade the FTC that physicians were not "creditors". In a letter dated February 4, 2009, the FTC took the position that health care providers could be "creditors" and therefore must comply with the Red Flags rule. The FTC noted that the terms "credit" and "creditor" have been given broad scope in decisions of courts and other federal agencies, and in particular, that the Federal Reserve Board has interpreted the term "creditor" to include any entity that defers payment, even in the normal course of billing processes. The Federal Reserve Board's Official Staff Commentary to Regulation B states:
If a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.
The FTC concluded that health care professionals who regularly bill for services after the services are rendered are "creditors". Since there is no exception for physicians and other professionals in FACTA's definition of creditor, they are required to comply with the Red Flags rule. The FTC commented that most physicians would face minimal risk of identity theft, and therefore a simple, streamlined identity theft prevention program should suffice.
While the FTC was not persuaded that physicians should be exempt from the Red Flags Rule, industry pressure did cause the agency to delay enforcement several times: most recently, to November 1, 2009. Meanwhile, the FTC developed resources to help businesses that are at low risk of encountering identity theft – including physician practices – develop identity theft prevention programs adequate for a low-risk environment.
Background of the Red Flags Rule
The Red Flags Rule represents part of a multi-faceted approach to the growing problem of identity theft. According to the FTC's 2006 identity theft report, 8.3 million Americans were victims of identity theft in 2005. Over the last several years, Congress has enacted laws to implement several tools for fighting identity theft:
- Requiring holders of confidential information to take measures to protect data security (including the Gramm-Leach-Bliley Act regulating data security for financial institutions, and the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act [HIPAA] for confidential information held by health care providers);
- Enabling consumers to protect themselves against identity theft by improving access to credit reports and allowing the consumer to place a fraud alert on his/her credit report; and
- Preventing identity thieves from using the identity of another person to obtain credit. This is the approach taken by the Red Flags Rule.
It is important to recognize that an effective identity theft prevention program will not only protect consumers, but also protect businesses. State and federal laws limit the financial exposure of identity theft victims. Therefore, if a patient has used another person's identity (and benefit eligibility) to obtain health care services, and the identity theft is discovered, any charges to the identity theft victim's account will have to be written off. In many cases, health care providers have sustained large losses due to identity theft.
What does the Red Flags Rule require?
The Red Flags Rule requires a creditor (including a health care provider who bills patients after performance of services) to adopt a written identity theft prevention program. The program should be appropriate for the level of risk of identity theft. For example, a practice where most of the patients are established patients, personally known to the physicians, is at low risk of identity theft and can probably use the FTC's tools for low-risk creditors. By comparison, a health center that sees large numbers of new patients is at greater risk, and will require more detailed policies. Entities that are at high risk may find it appropriate to use commercial tools that validate the address and social security number. Some health care providers even use biometric identifiers. The Red Flags Rule does not mandate any single approach to identity theft prevention, but does require every creditor to determine what is appropriate for the creditor's operations.
The identity theft prevention program should identify the relevant "red flags" – the circumstances that should put staff on alert for potential identity theft. The Red Flags Rule included a supplement that identified some of the most common red flags. Some suspicious circumstances that may be encountered by health care providers include identifying documents that appear to be altered or forged; identifying documents which have a photograph or physical description that does not match the individual's appearance; social security numbers that are invalid, or that are the same as SSNs of other patients; and failure to supply any identifying information.
The program should describe how staff will detect red flags. Some health care providers have changed their registration procedures in response to this requirement (e.g., asking for a photo ID when this had not been requested in the past). The program should also identify the response if a red flag is encountered. Some health care providers may choose not to provide services if the individual's identification is questionable (of course, this option is not available to hospital emergency departments). Alternatively, the provider may decide to provide care, but flag the record for further review.
In addition to describing how to respond if a red flag is encountered at patient registration, the program should describe how the health care provider respond if a complaint of identity theft is received. For example, an individual may claim that he/she received a bill for services never received. The provider will need to investigate the complaint, and if it turns out that the patient was actually an identity thief using someone else's name and benefit information, the account will have to be corrected (which may require refunding of payment made by a third party payor).
Red Flag Rule compliance presents more complicated issues for health care providers than for banks and finance companies. If identity theft has occurred, there is a possibility that the medical record contains erroneous information, or may even combine information of two individuals.
Medical identity theft
In 2008, the U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONCHIT) engaged Booz Allen Hamilton for a project on medical identity theft. The first phase of the project was an "environmental scan", to capture what was currently known about the scope of the problem of medical identity theft, and existing resources to address the issue. The environmental scan was released on October 15, 2008 – the same day as a "Town Hall meeting" held with stakeholders to discuss the role of health information technology in addressing medical identity theft. The final report of the project was released on January 15, 2009.
The environmental scan used the following definition of medical identity theft:
Medical identity theft refers to the misuse of another individual's PII [personally identifiable information] such as name, date of birth, SSN, or insurance policy number to obtain or bill for medical services or medical goods.
While acknowledging that data on the incidence of medical identity theft is sparse, the environmental scan noted that according to the FTC's 2006 identity theft report, 3% of identity theft victims (about 250,000 Americans) reported that their identity was used fraudulently to obtain medical services. The difficulty of estimating the incidence of medical identity theft is compounded by the fact that medical identity theft can arise from health care fraud (when a provider fraudulently uses an individual's information to bill for services not provided), from misappropriation of an individual's PII, or from misuse of an individual's PII with that individual's consent to fraudulently obtain health care services.
Medical identity theft requires a two-pronged response: investigation and mitigation of identity theft in accordance with the Red Flags Rule, and restoring the integrity of the medical record. If the identity theft victim has never received services from the provider, the problem is somewhat less complicated: a fraud alert can be placed on the record. If the victim has been a patient, then medical information of the identity thief must be separated from the victim's health information. Under HIPAA, individuals have the right to request amendment of their PHI. A resource developed by the American Health Information Management Association (AHIMA) describes the process as follows:
If the healthcare entity knows the health information was never used in any treatment or payment decisions related to the victim, the healthcare entity can "separate" the information and create a new record for the perpetrator. In effect, the erroneous information is deleted from the victim's medical record. This is generally accomplished more easily with paper records. For electronic records, it may be very costly, cumbersome, and sometimes impossible to separate the data.
An amendment problem arises when the perpetrator's health record is used to make treatment or payment decisions related to the victim. In these situations, the record cannot be separated because, rightfully or wrongfully, a decision was made using the erroneous information. Instead, healthcare entities must follow longstanding requirements of striking through or amending erroneous information without actually deleting the misinformation from the victim's record. Healthcare entities can and should link the amendment directly to the erroneous information in a very noticeable manner.
Covered entities are also obligated under HIPAA to send the amended information to other parties (e.g., other providers, health plans, etc.) in certain cases.
Medical identity theft presents unique risks, because the wrong identifying information can lead to medical errors, and consequently physical as well as financial harm. The trend toward electronic medical records increases the risk. This is likely to be an area for further attention by lawmakers and regulatory agencies.
 72 Fed. Reg. 63718 (Nov. 9, 2007).
 Letter dated February 4, 2009 from Eileen Harrington, Acting Director of Bureau of Consumer Protection, FTC to Margaret Garikes, Director of Federal Affairs, American Medical Association, reproduced online at http://www.ftc.gov/os/statutes/redflags.pdf.
 Official Staff Commentary, 12 C.F.R. § 202.3.
 Federal Trade Commission 2006 Identity Theft Report, available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
 One example is a story reported in the Chicago Tribune in April 2009, describing an illegal immigrant who obtained $530,000 in cancer care using an ID that she had purchased on the black market.
 The environmental scan, transcript of the Town Hall meeting, and final report are available at http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&cached=true&objID=1177&PageID=15441.
 Medical Identity Theft Environmental Scan, Oct. 15, 2008, p. 4.
 45 C.F.R. § 164.526.
 Smith, Applying HIPAA to Identity Theft, in Medical Identity Theft, American Health Information Management Association, 2008 (Nichols, Ed.) p. 65.
 45 C.F.R. § 164.526(c)(3).
About the Author
Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).