Identify theft is one of the country’s fastest growing crimes. Half of the annual 8.3 million identity thefts occur in the workplace, and medical practices are no exception, according to the Federal Trade Commission. Medical records are rich in information, such as a patient’s Social Security number, date of birth, credit card numbers, and insurance information, which can be misused for financial gain and for medical fraud.
As a result, Congress decided that all “creditors,” including healthcare providers, must develop an effective means of protecting against identify theft. The Red Flags Rule was introduced in 2007 and went into effect in 2008. The rule underwent multiple compliance-deadline extensions before the FTC mandated that it should be in place in all practices by November 1, 2009.
On July 29, 2009, the FTC not only gave practices a reprieve until November, but promised to update their website (see Table on page 8) with additional materials that clarify the general confusion that seems to prevail about the Red Flags Rule, especially in its application to low-risk, small businesses.
The rule’s ultimate goal is to identify and detect patterns and activities (red flags) that signal a privacy breach.
Needless to say, medical professionals are not gung-ho about the rule. “The Red Flags Rule will present yet another administrative burden to each medical practice,” said Cary Presant, MD, of Wilshire Oncology Medical Group in Los Angeles.
“Since nearly every practice will be covered by this rule, and many vendors will also be subject to it, each practice will have to modify its standard operating procedures manual to develop a theft prevention program and ensure that all its vendors have one in place. We will have to train office personnel and have a notification procedure for patients,” said Dr. Presant, who is also past president of the Association of Community Cancer Centers.
AMA sees red
The Red Flags Rule was not hoisted without a fight. The American Medical Association argued that health insurance payers are the creditors—not physicians. Additionally, doctors already devote substantial resources to complying with HIPAA requirements. Finally, the AMA painted a potential doomsday scenario in which physicians could demand payment up front or simply abandon practicing medicine altogether.
The FTC was unimpressed, drawing upon numerous court cases and regulatory decisions to support its position that healthcare providers are creditors. The FTC also maintained that the rule complements, not duplicates, HIPAA. The commission offered reassurance that providers would not be significantly burdened because the rule is designed to be “flexible and tailored,” according to Eileen Harrington, acting director of the FTC Bureau of Consumer Protection.
In a February 4, 2009 letter to the AMA, Ms. Harrington pointed out that most physicians’ offices already take some measures against identify theft, such as checking photo IDs and restricting access to patient files.
Of course, there is more to the rule than matching a patient’s face with a driver’s license. The rules require practices to implement a written identify theft prevention program that monitors daily operations. This written policy must be approved by a governing board or a senior-level employee. Also, a practice must designate an employee as the one individual at the practice who is responsbile for implementing and administering the prevention program. Finally, all employees must be trained on this policy and documentation of this training must be kept in their personnel files (see Table).
Adhering to the rule is more than a needless burden, according to Harry Perret, an identity theft risk management specialist and executive director of Prevention Benefits in Nashville, Tenn., and New Orleans. “Any liability leaves the doctor at risk,” he said, adding that the risks to patients are “both financial and potentially life-threatening.”
Ricky Newton, CPA, manages Cancer Specialists of Tidewater in Chesapeake, Va., and is a frequent speaker on practice issues at community oncology conferences. He told Oncology News International that he had just become fully aware of the Red Flags Rule. “I am trying to figure out what we are supposed to do to become compliant as a private practice. I am still confused about the details,” he said.