By now, you are probably aware of the Fair and Accurate Credit Transactions (FACT) Act of 2003 and its “Identity Theft Red Flags Rule,” which require creditors to establish a program to prevent identity theft. The law will be enforced beginning this month, so if you haven't taken any action yet you'd better get cracking.
The law was originally aimed only at financial institutions, but the Federal Trade Commission, which is charged with enforcing it, subsequently decided it could apply to any group that would be considered a creditor, which the law defines as “any entity that regularly extends, renews, continues credit or arranges for the extension of credit.”
The FTC has specifically said that it will include medical providers in this definition “if [the provider] does not regularly demand payment in full for services or supplies at the time of service.”
In other words, if you routinely bill patients for any portion of your fees, including the portions not paid by insurance carriers, you are considered a creditor under this law.
To comply with the law, the FTC says that you must develop a program that allows you to do four things: identify relevant red flags (more on that below), detect red flags, prevent and mitigate identity theft, and update your program periodically.
So what is a red flag? Basically, it is a warning sign that should alert your practice to suspicious activity that may indicate identity theft. The FTC guidelines list five categories of warning signs that should be identified and addressed:
▸ Alerts, notifications, or warnings from a consumer reporting agency or any entity that performs services on your “covered accounts.”
▸ Suspicious documents.
▸ Suspicious identification documents.
▸ Suspicious activity relating to a “covered account.”
▸ Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with “covered accounts.”
Okay, so what is a “covered account?” It is any financial account used mostly for personal purposes that involves multiple payments or transactions, for which there is a foreseeable risk of identity theft.
The FTC says it is particularly worried about medical billing accounts because the theft of a patient's information to fraudulently obtain medical care can cause a variety of serious problems over and above those usually associated with identity theft, including exhaustion of the victim's health benefits and a potentially life-threatening corruption of medical records.
The law requires you to develop a written program appropriate to the size and complexity of your practice that spells out your responses to red flags and the preventive actions you plan to take if there is a breach or attempted breach of your database. The program should include appropriate staff training, as well as a plan for monitoring staff to ensure that they are all following the program.
You must update your program “periodically” (the law is no more specific than that) to reflect changes in risks to patients, ensuring that the program remains current and relevant as methods of identity theft change.
In other words, designing a program and putting it on a shelf to collect dust will not satisfy the law's requirements, nor adequately protect your patients.
If you employ a billing service and/or collection agency, or any other outside entity that has access to your covered accounts, you also must take steps to ensure that their activities are conducted using a reasonable identity theft program. This could be done through a written contract with the service provider, or by amending your existing HIPAA Business Associate Agreements.
Some states have their own additional rules that may need to be incorporated into your identity theft prevention program. Check with relevant agencies in your state regarding that possibility.
Violations of the Red Flags Rule can subject your practice to significant penalties—particularly if a patient suffers an identity theft that could have been prevented by your program, had it been properly implemented.
The exercise is not as onerous or time consuming as many assume. The American Academy of Dermatology points out that the law permits great flexibility, so if you determine that your practice has a low risk of identity theft, developing a program should be simple and straightforward, with only a few red flags to identify and deal with.
Medical practices and other businesses can find help online for developing their own programs. One good example, with a template that should be modifiable to fit most dermatology offices, is online at the California Society of Municipal Finance Officers' Web site www.csmfo.org/index.cfm?fuseaction=DetailGroup&CID=2478&NavID=181