It's Monday morning and your week appears to be off to a very bad start. You just received a call from a law enforcement officer. A patient's identity has been stolen, and the information breach was traced to his dealings with your facility. You call up your IT department which, after careful research, traces the problem back to one of your vendors. "Thank goodness," you think, "we're off the hook." Right? Wrong!
Whereas in the past this may have been the case, on Aug. 1 the FTC will start holding you responsible for your vendors' actions. It's not enough that you have and implement an appropriate "Red Flags Rule" policy; you will now be responsible for ensuring that your vendors do, too.
Red Flags Rules: What are they and when do they apply
A red flag is a warning sign of potential identity theft or medical identity theft in your facility's day-to-day operations. The term Red Flags Rule refers to an organization's legal obligation to develop and implement a written identity theft prevention program to identify, monitor, detect and respond to occurrences of these red flags.
Whether or not a facility is covered by the Red Flags Rule depends on if it is considered to be a "creditor" that has "covered accounts." If you require full payment before or at the time of service, or if you only accept direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. However, if you bill patients after the completion of services (for one or multiple payments), allow patients to set up payment plans after the service has been rendered or help patients obtain credit from other sources (even if your "help" just consists of handing patients a credit application from a third party vendor), you are a creditor under the FTC rules.
More specifically, the FTC defines creditor as "any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit."
"Covered accounts" are consumer accounts that allow multiple payments or transactions, or any other account with a reasonably foreseeable risk of identity theft.
Key elements of a Red Flags Rules policy
A written Red Flags Rules policy must be designed to identify, detect and respond to specific activities, patterns and practices in order to mitigate the risk of identity theft. There are a number of elements which it is required to include:
Identification of potential red flags — The policy must identify the known and likely red flags for the organization's industry and operations (See "Common Healthcare Red Flags" for a list of common red flags for providers).
How the Red Flags Rules impact your vendor relationships
As noted, it is not enough to have a policy in place for your facility. You must also make sure that your vendors — especially your collection agency — have and implement similar policies. Your vendors must follow the same Red Flags Rules as you do. If they don't, you're the one that's ultimately responsible.
It is recommended that you revise your contracts with these vendors to include a provision specifying that the vendor must have a written Red Flags Rules policy in place. If a red flag should occur relating to one of your patient's accounts, the vendor should report the incident to you and respond appropriately to mitigate the crime.
In addition, it is a good idea to share your written identity theft prevention program with your vendors and request and review copies of their written policies. Ask your vendors to provide periodic reports about the red flags they have detected and their responses to these incidents.
Note: To learn more about Red Flags Rules, visit the FTC's Web site at to download a copy of the publication, "Fighting Fraud with the Red Flags Rule: A How-To Guide for Business."
Mr. Hamilton (dhamilton@mnetfinancial.com) is president and CEO of Mnet Collection Agency. Mnet specializes in helping medical providers improve their cash flow and reduce their bad debts. Customers include specialty hospitals, ASCs, imaging centers and physicians. Learn more about Mnet Financial.
Whereas in the past this may have been the case, on Aug. 1 the FTC will start holding you responsible for your vendors' actions. It's not enough that you have and implement an appropriate "Red Flags Rule" policy; you will now be responsible for ensuring that your vendors do, too.
Red Flags Rules: What are they and when do they apply
A red flag is a warning sign of potential identity theft or medical identity theft in your facility's day-to-day operations. The term Red Flags Rule refers to an organization's legal obligation to develop and implement a written identity theft prevention program to identify, monitor, detect and respond to occurrences of these red flags.
Whether or not a facility is covered by the Red Flags Rule depends on if it is considered to be a "creditor" that has "covered accounts." If you require full payment before or at the time of service, or if you only accept direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. However, if you bill patients after the completion of services (for one or multiple payments), allow patients to set up payment plans after the service has been rendered or help patients obtain credit from other sources (even if your "help" just consists of handing patients a credit application from a third party vendor), you are a creditor under the FTC rules.
More specifically, the FTC defines creditor as "any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit."
"Covered accounts" are consumer accounts that allow multiple payments or transactions, or any other account with a reasonably foreseeable risk of identity theft.
Key elements of a Red Flags Rules policy
A written Red Flags Rules policy must be designed to identify, detect and respond to specific activities, patterns and practices in order to mitigate the risk of identity theft. There are a number of elements which it is required to include:
- Mitigation and prevention of potential problems — An ounce of prevention is worth a pound of cure, especially in the area of identity theft. To prevent problems from occurring in the first place, a facility needs to reassess the methods used to open and access accounts, limit the information collected and limit access to this information. For example, it is recommended that the HIPAA "minimum necessary standard" be implemented to include demographic information. Take a look at which systems maintain Social Security numbers. Can this be reduced? Would limiting access to the last four or five digits of the number be sufficient? What can be done to limit the use of patients' birthdates? If patients' driver's licenses are currently asked for and photocopied, can this practice be eliminated? Is sensitive patient data ever sent via fax or other non-secured method?
Policies need to cover access to, storage of and disposal of documents, computers and electronic storage devices that contain personally identifiable information.
Identification of potential red flags — The policy must identify the known and likely red flags for the organization's industry and operations (See "Common Healthcare Red Flags" for a list of common red flags for providers).
- Monitoring and detecting red flags — Of course, it's not enough to just list out the potential red flags. System controls must be put in place to detect abnormal activity on covered patient accounts (such as numerous changes to account information or multiple views of a patient's account in a short timeframe) and to automatically notify appropriate internal personnel if a red flag event is identified or takes place. A patient's ID should be checked every time services are provided. Patients should be educated regarding medical identity theft, and if a problem occurs the facility should provide dedicated staff to help victims confirm the crime and determine its scope.
- Responding to potential issues — The policy needs to include uniform procedures to implement once a red flag is brought to the organization's attention (either through internal controls and practices or by any third party). What will be done if patients claim they have fallen victim to fraud due to their patient file or report being billed for services not received? How will the organization respond if it uncovers a case of identity fraud? How should personnel respond to police reports and requests for identity theft investigations from patients? What procedures will be followed if a provider or employee has altered a patient's records?
Appropriate responses to the detection of red flags may include monitoring a covered account for evidence of identity theft; contacting the patient; changing passwords or security codes that permit access to a covered account; closing a covered account; reopening a covered account with a new account number; notifying law enforcement; and determining that no response is warranted under the particular circumstances.
- Administering the program. The written identity theft prevention program must be approved by the organization's board of directors. It needs to include a plan for providing appropriate ongoing staff training regarding program implementation. Senior management's roles and responsibilities must be clearly spelled out, with a designated individual or committee responsible for each aspect of the program. Plus, there must be a predetermined schedule for periodically evaluating and updating the red flags and processes.
- Overseeing service providers. The policy needs to identify which vendors have access to sensitive information and/or are otherwise covered by the Red Flags Rules, designate responsibility for oversight of the vendors' Red Flags Rules programs and specify how this oversight will take place.
How the Red Flags Rules impact your vendor relationships
As noted, it is not enough to have a policy in place for your facility. You must also make sure that your vendors — especially your collection agency — have and implement similar policies. Your vendors must follow the same Red Flags Rules as you do. If they don't, you're the one that's ultimately responsible.
It is recommended that you revise your contracts with these vendors to include a provision specifying that the vendor must have a written Red Flags Rules policy in place. If a red flag should occur relating to one of your patient's accounts, the vendor should report the incident to you and respond appropriately to mitigate the crime.
In addition, it is a good idea to share your written identity theft prevention program with your vendors and request and review copies of their written policies. Ask your vendors to provide periodic reports about the red flags they have detected and their responses to these incidents.
Note: To learn more about Red Flags Rules, visit the FTC's Web site at to download a copy of the publication, "Fighting Fraud with the Red Flags Rule: A How-To Guide for Business."
Mr. Hamilton (dhamilton@mnetfinancial.com) is president and CEO of Mnet Collection Agency. Mnet specializes in helping medical providers improve their cash flow and reduce their bad debts. Customers include specialty hospitals, ASCs, imaging centers and physicians. Learn more about Mnet Financial.