2. Red Flag Rules
The Federal Trade
Commission has
established a deadline for
compliance with a new
rule mandating programs
to guard against identity
theft. MAY 1, 2009
Organizations that can be
considered creditors
must comply with this
rule.
3. Medical Identity Theft (MIT)
Taking someone’s
identity:
• To receive care
• To make false
claims for money
And in the process:
• Adding false
information to a
person’s medical record
4. Impact on an Individual
Possible Consequences of MIT
Wrong information in the
record can lead to:
1. Future denials of insurance
coverage
2. False claims that count
toward a lifetime maximum
3. False diagnoses
4. Unsafe or deadly care
5. Impact on the Care Provider
The care provider relies on the health record for
the truth of the patient’s condition and status.
The ability to provide the correct treatment to
the correct patient depends upon the
accuracy of the health record.
6. Impact on the Care Provider
When the record is on
paper, separating the
true from the false
information can be
difficult, but in the
electronic record, it is
even more complicated.
7. Precautions for Individuals
What can individuals do? There are several
steps an individual can take:
1.Share personal and health insurance
information only with trusted providers.
2.Review the Explanation of Benefits that come
from insurers to monitor care that is billed in
your name.
8. Precautions for Individuals
3. Request a yearly summary from the insurer
of all the benefits paid for that year.
4. Maintain copies of your healthcare records
(see www.MyPHR.com for further help).
9. Precautions for Individuals
5. Check your personal credit history for
medical liens
6. Question telephone marketers or anyone
offering “free” service (such as
immunizations, free samples or other
activities, and in the process, ask for your
insurance card).
10. Precautions for Individuals
7. Request a yearly accounting of disclosures
from your healthcare providers.
8. When you find errors in your record, request
that they be removed and your record
amended.
11. Red Flag Rules
What are the obligations for a health care
provider covered by the Red Flag Rule as a
creditor?
The provider must develop and implement a
written program that identifies and detects
the warning signs of identity theft and also
describes appropriate responses to prevent
and mitigate the crime.
12. Red Flag Rules
Red Flags fall into five categories:
1. Alerts, notifications, or warnings from a consumer
reporting agency;
2. Suspicious documents;
3. Suspicious personally identifying information, such as a
suspicious address;
4. Unusual use of – or suspicious activity relating to – a
covered account; and
5. Notices from customers, victims of identity theft, law
enforcement authorities, or other businesses about
possible identity theft in connection with covered accounts.
13. Red Flags for Health Care Providers
• A complaint or question from a patient based
on the patient’s receipt of:
– A bill from another individual
– A bill for a product or service that the patient
denies receiving
– A bill from a health care provider that the patient
never patronized or
– A notice of insurance benefits (EOB) for health
services never received.
14. Red Flags Continued..
• Inconsistencies in the medical record
• A complaint or question from a patient about
the receipt of a collection notice from a bill
collector
• A patient or insurance company report that
coverage for legitimate hospital stays is
denied because insurance benefits have been
depleted or a lifetime cap has been reached
15. Red Flags Continued..
• A complaint or question from a patient about
information added to a credit report by a
health care provider or insurer.
• A dispute of a bill by a patient who claims to
be the victim of any type of identity theft
• A patient who has an insurance number but
never produces an insurance card or other
physical documentation of insurance
16. Preventative Measures
for Healthcare Providers
1. Establish patient verification processes that
include some kind of photo identification.
Make sure the process is as thorough as
possible.
17. Prevention Measures
for Healthcare Providers
2. Minimize the use of social security numbers
and, if at all possible, eliminate using it and
displaying it altogether.
18. Preventative Measures for
Healthcare Providers
3. Store individually identifiable health
information in a secure manner and ensure
that administrative, technical, and physical
safeguards are in place.
19. Prevention Measures
for Healthcare Providers
4. Implement and comply with procedures for
the appropriate disposal and destruction of
any media used to collect and store
individually identifiable health information.
20. Challenges to Mitigation
• Lack of enforceable rights to correct
medical records in all instances.
• Lack of a government agency dedicated
to help victims of medical identity theft.
• Lack of enforceable rights to delete
misinformation from medical records.
21. Challenges continued..
• Lack of ability in most cases to find all
instances of medical records.
• Lack of information resources about the
unique needs of medical identity theft
victims.
24. References Used
World Privacy Forum:
www.worldprivacyforum.org
AHIMA Practice Brief: Mitigating Medical
Identity Theft, found online at
www.ahima.org.
Red Flag Rules, found online at
www.ftc.gov
www.MyPHR.com
25. References Used continued..
• FTC issues Red Flag Rules Reminder; Ensuring
IT is ready as unlimited liability looms on the
horizon, found online at
www.connect.educause.edu/Library/Abstract/
FTCIssuesRedFlagRulesRemi.com
• ID Theft Affidavit, found online at
www.ftc.gov
Editor's Notes
Welcome to the session “Medical Identity Theft and The FTC Red Flags Rule” My name is Dulcey Whyte and I am the Health Information Management Director at Northwest Orthopaedic Surgeons.
The importance of protecting health information is not a new topic for any of us. We make privacy decisions everyday. It’s not a new topic to us as healthcare consumers. Privacy laws have protected our health information for decades.
As the healthcare industry switches from paper to electronic, it’s critical to keep privacy responsibilities in front of us, especially since change can happen quickly, and we must maintain privacy practices that are trustworthy at all times. Confidentiality is possible only when everyone―the entire workforce and consumers―understands and does his or her part. This presentation discusses medical identity theft and The Federal Trade Commissions Red Flags Rule and how all of us can comply to keep our information safe.
The latest in federal actions against medical identity theft comes from the Federal Trade Commission (FTC). Known as the “Red Flag Rules” they call for the creation and development of a program to guard against identity theft, effective May 1, 2009.
The Red Flag Rules were developed pursuant to the Fair and Accurate Credit Transactions Act of 2003. As healthcare facilities frequently allow patients and consumers to pay their bills in installments, they fall under this rule by providing credit.
Essentially, if a health care provider extends credit to a consumer by establishing an account that permits multiple payments, the provider is a creditor offering a covered account and is subject to the Red Flag rules. The supplementary information accompanying the final publication of the red flag rule explains the application of the rule in the health care world:
For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and , therefore, must identify Red Flags that reflect this risk. 72 Fed. Reg. 63727 (Nov. 9, 2007).
The purpose here is to focus on identity theft matters specific to health care providers and to medical identity theft
The World Privacy Forum published the first report identifying medical identity theft as a significant national problem. The report offers this definition of medical identity theft:
“theft that occurs when someone uses a person’s name and sometimes other parts of their identity―such as insurance information or social security number―without the victim’s knowledge or consent to obtain medical services or goods, or when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.
At first glance, this looks like plain old fraud. But the insidious results can affect the victim’s health, as well as their credit history.
Not only can medical identity theft cause credit and financial problems for the victim, it can impact their future health. Insurance coverage can be denied based on a false diagnosis, or insurance benefits can run out after the lifetime maximum is been reached. Most importantly, victims of identity theft could be treated for conditions they don’t have, increasing the likelihood of complications or even death.
A report published by the World Privacy Forum mentions “a Pennsylvania man who discovered that an imposter used his identity at five different hospitals to receive more than $100,000 worth of medical treatment. At each hospital, the imposter created medical histories in the victim’s name.” * In another case, a Massachusetts psychiatrist created records with psychiatric diagnoses for real people who were not his patients and billed insurance companies. These patients had to deal with the ramifications of these false diagnoses for a long time.*
*From “Medical Identity Theft: The Information Crime That Can Kill You,” found at www.worldprivacyforum.org.
Medical identity theft doesn’t just affect the patient. Healthcare facilities must take steps to prevent medical identity theft because the basis for quality healthcare is having the right information for the right patient. When medical identity theft occurs in an organization, the truth of the medical record is called into question. What information is correct? Healthcare professionals depend on the accuracy of the health record.
Paper records are tangible objects that can be analyzed for true versus false information. Electronic records, however, are more complicated. Data that is collected and then populated into other databases will save time and make medical information available to those who need it. But if the information is false, extracting what is untrue from what is true is difficult, time-consuming, and expensive.
What can individuals do? There are several steps you can take:
You should guard your health information as you would your credit cards, driver’s license, and passport. This includes your insurance card. Only give this information to those who have a need to know it.
When you receive an explanation of benefits in the mail, look it over and make sure that the care that was delivered and paid for by your insurance company was indeed delivered to you or someone in your family. If you discover care you cannot account for, contact your insurer and provider to let them know.
Requesting a yearly summary is another way to track your healthcare and help you see if there are any unusual bills. Again, contact the healthcare provider and the insurance company if you find discrepancies.
Start collecting copies of your personal health record (PHR). If you have what you know to be true either with you or easily accessible, you can help have the right information available at the time you need it. An excellent place to begin is at www.MyPHR.com. There are handy tips on how to start and maintain a PHR.
Checking your credit history is something you should do on an annual basis for your financial well-being. At the same time, reviewing it for medical liens will also help you find out if your medical information has been used by someone else.
Sometimes those who would commit fraud obtain your information from you when they offer a free service. Individuals should always question what is being offered and who is paying the cost. If you aren’t satisfied with the answers, you should decline the service.
Request an accounting of disclosures yearly from your healthcare providers. This will help you monitor what, when, and to whom information was sent.
When you find errors, request the correction of the errors. All healthcare facilities, under the HIPAA Privacy Rule, must have procedures in place to allow individuals to request amendment of their record. At NWOS, you can request amendment by submitting your request in writing to our Privacy Officer, in accordance with RCW 70.02.100 and HIPAA Privacy Rule, 45 C.F.R. §164.526.
The Red Flag Rules provides all financial institutions and creditors with the opportunity to design and implement a program appropriate to their size, complexity, and nature of their operations. A large hospital will need a more robust program than a two-doctor office.
Guidelines issued by the FTC, the federal banking agencies, and the NCUA should be helpful in assisting covered entities in designing their programs. A supplement to the guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point.
This information is taken directly from the FTC Web site cited in the reference slide.
Based on the World Privacy Forum report and their subsequent work, the WPF offers suggestions for Red Flags that a Health Care Provider should include in any Identity Theft Prevention Program.
An unexpected bill or notice of benefits can be one way that a patient can learn that she has been a victim of medical identity theft.
EOB’s are potentially important tools for patients and providers. For example, hotline information to report possible fraudulent or suspicious activity can be included on an EOB.
In particular, records that show substantial discrepancies in age, race, and other physical descriptions may be evidence of medical identity theft.
In The World Privacy Forum Report on Medical Identity Theft, you will find illustrations how an incorrect blood type was evidence that the patient was a victim of medical identity theft. This report also illustrates how members of a family can be victimized by “looping”, where a thief uses one family member’s benefits and then turns to the next family member when the first victim’s benefits have run out.
Although financial identity theft differs significantly from medical identity theft, a victim of financial identity theft may be more likely to also be a victim of medical identity theft.
Victims of financial identity theft may have filed police reports about their case, and these need to be taken into account. You may include in your MIT program a requirement that the patient provide you with an affidavit of Identity Theft and or copy of the police report.
Another factor that increases the importance of a red flag is if the health care provider or other relevant entity in the health care community has had a recent data breach that included the patient’s data.
A medical identity thief may succeed by obtaining the medical insurance number and other information about the victim. The absence of an actual insurance card is evidence suggesting that the person being treated may not be the actual insured. Note: This particular Red Flag has to be applied with caution because there are other reasons a patient may not have her insurance card.
Healthcare facilities also have measures they can take to help prevent medical identity theft. First, a healthcare provider should ask for picture identification along with the insurance card when a patient checks in for their visit.
At NWOS we use some or all of the following for verifying a patient’s identity:
1. Photo I.D.
2. Insurance Card
3. Government issued I.D.
4. Address verification
5. Phone number verification
Since the social security number is an important piece of information related to individual identity, healthcare facilities should not use it to identify a patient or store it anywhere in a file. Most insurance companies no longer use the social security number for this reason.
At NWOS, we have the taken the following steps regarding social security numbers:
1. Minimize requesting SS # by removing the box on our patient registration sheet.
2. Restricted the use of SS #’s by only requesting it if it is part of your insurance subscriber number
3. We do not use it to identify our patients.
4. Provide Reception with a list of known ins. Co which require SS #’s
This step refers to our security measures. The HIPAA Security Rule was implemented in April 2003, and requires that organizations address the security of individually identifiable health information. The safeguards required in the rule include proper procedures for security management, information access, facility access controls, workstation use and security, and access control.
Here at NWOS we have implemented all the HIPAA Security rule requires, and would like to emphasize some ways we follow those rules:
All shred buckets should be dumped into the locked shred bins nightly.
We use security codes to access the building.
Passwords to log onto the computer.
We only fax PHI to covered entities as defined by HIPAA, standards to include Insurance companies and healthcare facilities.
We adhere to HIPAA “minimum necessary” standards in all circumstances.
New procedures for the transportation of files from one local to the other by staff have been initiated. (Security bags)
Use back up tapes which are stored off site for compliance with our disaster compliance plan.
Retention and destruction is an extremely important process. Healthcare providers must pay attention not only to the retention and destruction of paper documents, but also to the proper disposal of information stored in any media such as microfilm, laser disks, and computerized data. The data must be eliminated or destroyed so there is no possibility of any reconstruction of data. Complicating this rule is the ease with which computerized data can be replicated. Any data automatically sent to or replicated in another database must have a destruction schedule too.
At NWOS we have the following procedures for the destruction of data:
1. All paper PHI is shredded by our shredding company biweekly to destroy all PHI in locked containers.
2. Disposal of backup tapes by magnetically erasing them.
3. Yearly we purge our records ten years and older and have them shredded onsite.
4. All computer hard drives considered “old” or “no longer in use” are to be manually obliterated.
5. All micro-cassette dictation tapes are magnetically erased.
In general, the health care industry has not paid sufficient attention to helping individual victims of medical identity theft. The World Privacy Forum Medical Identity Theft report discusses the problems victims can have when they seek to correct health records and otherwise recover from medical identity theft. The report identified these challenges:
Suggestions for ways to Mitigate:
You can include a specific link to the FTC website and other identity theft resources on your website for patients who feel their identity has been stolen. This could also provide them with access to the ID theft Affidavit and many other forms such as a request for their medical records and a form requesting amendment of their records.
The FTC is authorized to bring enforcement actions in federal court for violations, and could enact penalties of up to $2500 for each independent violation of the rule.
States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and may recover attorney’s fees.
Civil – this area is where companies stand to lose the most. Not only will companies suffer untold damage to their reputation and subsequent customer churn, but each consumer may be entitled to recover actual damages sustained from a violation. There is the possibility of class action law suits potentially resulting in massive damages.