Prevent medical identity theft: Red flags rule compliance deadline is May 1

CLICK to Email
CLICK for Print Version

Six steps to compliance

Medical identity theft is an ugly reality for healthcare organizations, patients, and payers. It’s only going to get worse if providers don’t have an effective theft prevention program, a specific requirement of the Federal Trade Commission’s (FTC) Red Flags Rules, which has a compliance deadline of May 1.

“It’s very real,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

“It’s a more insidious type of theft because you not only have the financial problems to fix, but the integrity of the medical record is compromised, too,” says John C. Parmigiani, HIPAA security and privacy consultant and president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

There were 10 million victims of identity theft in the United States in 2008, a quarter of whom were victims of medical identity theft. In total, there were 4 million breaches of medical records in 2008, according to the World Privacy Forum. The numbers are rising, and stakeholders such as patients, insurers, and providers are paying a price, experts say.

The FTC can also levy penalties as high as $2,500 for each independent violation of the rule, says Parmigiani.

Parmigiani and Borten discussed how to battle medical identity theft by complying with the Red Flags Rules in the March 11 HCPro audio conference, “Prevent Identity Theft with Red Flags: Develop a Compliant Program for New Federal Mandate.” (Note: You can purchase a copy of the presentation at

Where the Red Flags Rules came from

The FTC developed the Red Flags Rules pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The FTC pushed back the original compliance date of November 1, 2008, because many organizations, such as healthcare facilities, didn’t think the Rules applied to them.

“If your organization allows patients to defer payments for services, then you are a creditor, and you fall under this,” says Parmigiani.

It’s no surprise that the Rules confused healthcare providers, Borten says.

“The language is definitely geared more toward financial institutions,” Borten says. “In healthcare, we allow patients to pay in multiple payments. But no one would argue that [crediting] is a primary function.”

The Rules identify certain types of information needed to verify personal identification, including:

  • Name
  • Social Security Number
  • Passport
  • Tax identification
  • Biometric data, such as a fingerprint and voice print

Why identity theft is a dangerous problem

Part of the problem is that it is increasingly difficult to verify identity, particularly in the frenetic hospital setting.

Increasingly, patients are posing as other people to gain free healthcare. And the hospital culture can facilitate that. For example, EMTALA requires that hospitals provide care first in an emergency.

“The whole idea is to just give the care and worry about if they can pay later,” says Parmigiani.

Everything moves quicker in an emergency room—even the registration process. But that’s not the only threat, he says.

“Sometimes it’s an insider-type thing, with doctors or nurses within the system allowing access for fraudulent claims,” Parmigiani says. “We’re also seeing an infusion of organized crime. There is a street value for someone’s identification, and if you have a Social Security Number, there is money to be made.”

Not only is the financial well-being of the patient and organization put in jeopardy, but there is a clinical danger as well.

“When information is comingled, it can have horrible consequences,” Borten says. “You run the risk of improper treatment and medications being given, resulting in injury or even death of a patient.”

There is also the possibility that your medical history can become someone else’s, and vice versa.

Tip: Parmigiani advises organizations to proceed cautiously when dealing with patients who appear questionable in the emergency room. Provide the care they need, but set aside the records for further investigation. “Isolate it before it penetrates your files,” he says.

What the Rules require

Follow this checklist to ensure that your organization is on target with a thorough and effective identity theft prevention program:

  • Conduct an organizational audit. Investigate where your potential problems are, based on your organization’s unique setup and experiences.

“The initial discovery process to look at interactions with patients, and to detect if computer systems are affected, can take awhile,” says Borten.

  • Develop your identity theft prevention program. Include all credit accounts in the program’s scope, not just large balance accounts.

The written program must fulfill the following criteria:

  • Identify potential red flags within your institution
  • Help you detect red flags in real time
  • Detail how you are going to respond to identity theft attempts (i.e., how you can stop theft attempts or how you will mitigate the damage after the fact)

To put this program together, include representatives from risk management, security, privacy, IT, and registration, among others, Borten says.

  • Obtain approval from your board of directors. Get your board involved before the program goes live. The FTC holds senior leaders accountable for the program’s effectiveness, so provide them with regular updates after obtaining their approval to launch.

“It’s a pretty significant black-and-white requirement to get sign-off by the board,” says Borten.

  • Monitor the program. Track the program moving forward, as required, because there will be more threats to tackle, Parmigiani says.
  • Train everyone. HIPAA says you need to protect the integrity of information. The FTC says you need an identity theft prevention program. You can certainly parlay some of the work you have done with HIPAA when developing training strategies for identity theft and a process for security incident identification and response.

Just as with HIPAA, organizations must train staff members to identify and act upon red flags as a requirement of the Rules, says Borten.

“It’s not trivial, but it’s also not rocket science,” she says. “You should just be building on your HIPAA privacy and security requirements. If you’re a HIPAA-covered entity, there is certainly overlap.”

But you need more than checklists. You need policies and procedures, rolled out with constant refreshers, says Parmigiani. The Rules leave specifics to the organization’s discretion.

  • Meet the deadline. May 1 is a strict deadline, but Borten and Parmigiani say they feel the FTC will not aggressively enforce the Rules immediately.

“The actual likelihood of the FTC knocking on your door is small,” Borten says. “They go after the bigger fish usually, unless there is a serious breach.”

Still, that doesn’t mean you should disregard the deadline. The negative impact a breach can have on your bottom line, not to mention your patients’ health, is significant.