- Home
- » e-Newsletters
Staff training is critical in preventing identity theft and complying with FTC Red Flags rule
HIPAA Training Advisor, November 13, 2008
Although identity theft is often associated with exploited credit cards, patients can also be subject to medical identity theft when thieves use a victim’s identity to undergo procedures or receive treatment or prescriptions using the victim’s medical insurance information—essentially stealing his or her identity to obtain services.
And although your hospital may already have an identity theft policy in place to mitigate the risk of identity theft per your state law, that doesn’t mean you’re necessarily off the hook. That’s because hospitals may also need to comply with a federal requirement for creditors (including hospitals and other medical facilities that offer deferred payment options for patients).
The catch? They must do it soon. The FTC will enforce the rule, referred to as the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (final rule), beginning May 1, 2009.
According to the legislation, creditors must implement a formal written policy that outlines how they intend to detect, mitigate, and prevent identity theft. Hospitals who fit this bill must work diligently to determine how they will identify red flags, which the rule defines as patterns, practices, or specific activities that denote the possible existence of identity theft.
Many hospitals may have overlooked this federal requirement because of its focus on financial institutions and joint adoption by various federal agencies that regulate these financial institutions, says John Healey, associate at McDermott Will & Emery, LLP, in Chicago. But because most facilities are at some risk for identity theft, it makes sense to take a look at the red flags and incorporate them into your hospital’s existing policy, regardless of whether your facility offers credit. Examples of red flags include, but are not limited to, any of the following:
- A mismatch between an individual’s address as listed on his or her insurance policy and what appears on his or her driver’s license
- A lack of correlation between the patient’s Social Security number range and date of birth
- Documentation that appears forged or altered
- An individual that refuses to provide all required personal identifying information when notified that his or her information is incomplete
- A photograph on a driver’s license or other identification (ID) that doesn’t match the individual presenting it
- An address provided that is a P.O. box or mail drop
- A telephone number that connects to a pager or answering service
“The big red flag is someone who comes in and says they never received a particular treatment,” says Judith Waltz, cochair of the life sciences industry at Foley & Lardner, LLP, in San Francisco. And there are other obvious signs, such as the same patient presenting two days in a row with inconsistent ailments, or a patient whose profile indicates that he or she is 85 years old but who presents as a 40 year old seeking Percocet, says Andrew Serwin, chair of the privacy, security, and information management practice at Foley & Lardner, LLP, in San Diego.
Hospitals particularly need to educate registration and clinical staff members to help spot and flag suspicious accounts and respond appropriately, Serwin says. There are also a variety of other ways by which staff members can verify identity. For example, registrars and clinical intake staff members can perform preliminary checks on date of birth, age, and sex. Asking for an ID in addition to an insurance card is a simple yet effective way of detecting theft. And if the patient has a history of care at the hospital, staff members can help compare new ailments and treatments to prior ones. Some hospitals may also consider performing a credit check for individuals undergoing elective procedures who are responsible for a large portion of the bill.
To view the red flag rule, which was published in the November 9, 2007, Federal Register, visit http://edocket.access.gpo.gov/2007/pdf/07-5453.pdf. For examples that providers can use when developing an identity theft prevention program, see Supplement A through Appendix J of the rule.
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched