Red Flag Rules

The Federal Accurate Credit Transactions Act (FACT) enacted by the Congress in 2003 established the Red Flag rules. They will be effective from December 31, 2010 and were first published in the Federal Register on November 9, 2007. The Federal Trade Commission (FTC) defines red flags as” a pattern, practice, or specific activity that could indicate identity theft.” The Red Flag rules mandate businesses to adopt written measures to detect, prevent and mitigate identity theft. In practices, medical identity theft can arise when an individual uses another person’s insurance information without his or her knowledge to obtain medical services and thereby creating erroneous medical records and claims for the victim. The FTC, Federal bank regulatory agencies, and the National Credit Union Administration (NCUA) will enforce these requirements.  According to the FTC, Red Flags are:

• Alerts, notifications, or warnings from a consumer reporting agency;
• Suspicious documents;
• Suspicious personal identifying information;
• Suspicious activity relating to a covered account; or
• Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

Practices come under the Red Flag regulations if they are creditors that offer or maintain covered accounts. Additionally, you may fall into the category of a creditor if you “regularly defer payments for goods and services or provide goods and services and bill customers later.” According to the Fair Credit and Reporting Act (FCRA), a creditor is someone who, “regularly extends, renews, or continues credit; any person who regularly arranges for the extension , renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” In addition, creditors that offer or maintain covered accounts have obligations under the red flag regulations. A covered account is one that is used for multiple payments or transactions- for example: a credit card that has potential risk from identity theft associated to it.

Your office should perform a risk assessment to evaluate if you are creditors that maintain or offer covered accounts. You will want to consider the methods you use to open and access your accounts, and any experiences you have had with identity theft.

You will need to adopt policies in your daily operations to identify Red Flags or instances of these patterns. The Red flag regulations mandate that your identity theft program have these four elements:

1. Identify relevant Red Flags that can occur in your practice for example:
   • Patient complains about receiving a bill for another individual, or denies receiving a product that he or she was billed or if a patient complains about receiving a bill from a physician that he or she never patronized
   • Patient complains about receiving an Explanation of Benefits for services that he or she never received
   • Medical records that are inconsistent with the patient’s physical examination or medical history
   • Patient complains about receiving a collection notice from a bill collector
   • Patient or insurer reports that a legitimate service has been denied because patient has reached lifetime maximum cap
   • Patient disputes information that a health care provider or insurer added to his or her credit report
     
2. Show how you will detect Red Flags
   • Designate methods that you will use to detect these red flags. For example, requiring your staff to verify the identity of a patient using a state issued identification card
   • Train and supervise staff appropriately to spot these Red Flags
     
3. Respond appropriately to any Red Flags that you notice. This entails:
   • Implementing procedures that your staff will use to report Red Flags to law enforcement
   • Stopping transactions if Red Flags are detected
   • Verifying if the patient has submitted a police report
     
4. Assess your identity theft prevention program periodically to see if you need to make any enhancements to avert any new risks from identity thieves

The Red Flag regulations require that your Board of directors or appropriate committee or a senior level employee approve the written identity theft program.  You will need to ensure that your staff is trained sufficiently to apply the program and that you exercise oversight of service provider arrangements.

Penalties for Noncompliance

Although there are no criminal penalties for failing to comply with the Red Flags Rule, if you violate these rules, you may be liable to civil monetary penalties.

If you have any questions, you can send them to the Health Policy department via email or visit the AMA.