WASHINGTON — The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.
“Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors,” said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.
The rule requires creditors to establish formal identify theft prevention programs to protect consumers. Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.
Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. “But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services.”
The FTC has published guidance and developed a template for an identity theft prevention program for low-risk creditors (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm
Low-risk providers who see the same patients regularly can adopt a simple identity theft program, and personnel involved with front desk, medical records, and patient account functions should be involved in the program, Ms King said.
Physicians need to identify which patient accounts will be covered by the rule—such as those patients who need to make repeat payments—and develop appropriate policies and procedures. “The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you,” she advised
Physicians also need to look at what information they collect when patients register. “Many of us need to re-think our standard registration procedures and beef them up,” said Ms. King. One example might be to ask for a photo ID.
Procedures for guarding against identity theft must be approved by the organization's board of directors and overseen by senior management, according to the rule.
Typical “red flags” that practices should watch for include:
▸ Insurance information that cannot be verified;
▸ No identification;
▸ A photo ID that does not match the patient;
▸ Documents that appear to be altered or forged;
▸ Information given that is different from information already on file;
▸ An invalid Social Security number;
▸ A patient who receives a bill or an explanation of benefits for services that he or she didn't receive;
▸ A patient who finds inaccurate information on a credit report or medical record; or
▸ A payer that says its patient information does not match that supplied by the provider.
In responding to a red flag, Ms. King said, a practice may refuse to provide service, but this might raise a problem under the Emergency Medical Treatment and Labor Act (EMTALA), which prohibits providers from not treating persons with questionable identification who require emergency care. The other option is to provide the service, but ask the patient to bring in the correct information at the next visit. Ms. King cautioned about freely providing medical records to a patient suspected of identity theft, because that could lead to more identity theft.
Patients also will have to be educated about the new rule, she said. “Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance.”
Under EMTALA, a hospital cannot delay a medical screening examination or stabilizing treatment to inquire about insurance or payment, “but it can follow reasonable registration processes as long as the medical screening exam is not delayed by the process. So after the patient has been triaged and is sitting in the waiting room waiting to be seen for the medical screening exam, you can ask them for identifying information. But if they don't have identifying information, you can't turn them away.”
Providers also should note that compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not shield them from complying with the Red Flags Rule.
“One of the questions we get is, 'I already comply with HIPAA; aren't I done?' The answer is, 'Probably not,'” said Naomi Lefkowitz of the division of privacy and identity protection at the Federal Trade Commission.