Red Flags Rule Delayed, but Brought to the Forefront in Healthcare

Cut healthcare costs through existing infrastructure
New FTC regulations enforcing identity theft prevention include providers

In an important announcement affecting hospitals and physicians, The Federal Trade Commission (FTC) has extended the deadline for creditors to implement Red Flags Rule to August 1, 2009. Under this directive, which is aimed at preventing consumer identity theft, creditors are required to create a written and actionable program to detect warning signs, or “red flags”, which alert institutions to take extra steps to confirm an applicant's identity. The official directive is defined loosely so that it can be applied to numerous industries.

Providers as creditors
Why is this important news for hospitals and physicians? If healthcare providers allow patients to defer payments or set up an outside line of credit to help them pay for care, that is considered acting as a creditor under the federal regulation and will require providers to create a reasonable set of rules to identify red flags to prevent identity theft. In addition, each institution's board of directors will be obligated to monitor the new system. This board will also be accountable for making sure the system is reviewed and updated regularly to deal with the changing marketplace and tactics of identity thieves.

Seek expert guidance
Creating these new procedures can create unique and complex situations for providers due to privacy concerns, regulations and even legislation (such as HIPAA) specific to the handling of patient records, securing of financial information and refusal of care. Therefore, consulting with the appropriate legal, financial and technical professionals to ensure compliance should be considered. There are also commercially available tools designed to guide providers through this process. These advisors and programs can help create an efficient and effective system that fits the way a facility currently operates. Because every facility is different, and there is a wide range of options for assistance, it is important to closely examine potential partners to make sure you find someone who understands the unique needs of a healthcare business.

No criminal penalties
There are no criminal penalties for non-compliance with the FTC Red Flags Rule. However, failure to comply could potentially lead to civil monetary penalties that would be costly for any healthcare business. The primary reason creditors, businesses and the healthcare industry should participate is simple: it’s what customers and patients expect.

What to look for
The FTC lists the examples below as events that should set off red flags and trigger a more in-depth review under the new guidelines:

• Alerts, notifications, or warnings from a consumer reporting agency
• Suspicious documents, such as an incorrect or invalid driver’s license or social security card
• Suspicious personal information on applications; such as a suspicious address
• Unusual use of, or suspicious activity relating to, a covered account
• Notices from insurance companies, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
The FTC describes these as starting points, and not the end result every Red Flags system should follow.

What to do with a flag
Once a suspicious event has been brought to your attention, there are a large number of things that can be done to help protect the integrity of a healthcare business and a patient’s privacy. Here are a few suggestions from the FTC:
• Do not open a new account if there are suspicions of the validity of that person’s true identity
• Continue monitoring the covered account for evidence of identity theft
• Contact the customer to confirm correct identity
• Change passwords, security codes, or other methods of account access
• If unauthorized access is expected, close an existing account and reopen the account with a new account number
• Do not try to collect on an account or sell an account to a debt collector if you have reasonable and strong suspicions that identity theft has occurred with a covered account
• Notify law enforcement for further investigation
Prevention is the key
If the new Red Flags system is effective, it should not only help prevent fraudulent patients from receiving potentially dangerous medical treatments, but it will also help providers realize more revenue due to the reduction in unpaid bills left by fraudulent actions. The responsibility for reducing identity theft and fraudulent activity within the healthcare industry lies with each healthcare provider. The more proactive providers are to address the Red Flags Rule the more prepared they will be on August 1, 2009.

Learn more by visiting the Federal Trade Commission’s website and be sure to consult documented FTC literature: Fighting Fraud with the Red Flags Rule: A How-To Guide for Business.



Read More >>