Health Information Management

Tip: Staff training is critical in preventing identity theft and complying with FTC 'Red Flags' rule

HIM-HIPAA Insider, November 3, 2008

Your healthcare organization may already have an identity theft policy in place to mitigate the risk of identity theft in accordance with your state law, but that doesn’t necessarily mean that you’re off the hook.
Organizations may also need to comply with a federal requirement that applies to creditors—including hospitals and other medical facilities that offer deferred payment options for patients. And they must do it soon because the FTC will enforce the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (final rule), beginning May 1, 2009.
 Most facilities are at some risk for identity theft, so incorporating red flags into your existing policies, procedures and staff training regardless of whether your organization offers credit makes sense. Organizations particularly need to educate registration and clinical staff members to help identify and flag suspicious accounts and respond appropriately, says Andrew Serwin, chair of the privacy, security, and information management practice at Foley & Lardner, LLP, in San Diego.
Staff members can verify identity in a number of ways. Registrars and clinical intake staff members can perform preliminary checks on date of birth, age, and gender. Requesting an ID in addition to an insurance card is a simple yet effective way of detecting identity theft. If the patient has a history of care at the hospital, staff members can help compare new and prior ailments and treatments. Hospitals can check the credit of individuals undergoing elective procedures who are responsible for a large portion of the bill.
Registration staff members in particular should be aware of the following red flags:
  • A mismatch between an individual’s address as listed on his or her insurance policy and that which appears on his or her driver’s license
  • A lack of correlation between the patient’s Social Security number range and date of birth
  • Documentation that appears to be forged or altered
  • An individual who refuses to provide all required personal identifying information when notified that his or her information is incomplete
  • A photograph on a driver’s license or other identification (ID) that doesn’t match the individual who presents it
  • Providing a P.O. box or mail drop as an address
  • A telephone number that connects callers with a pager or answering service
“The big red flag is someone who comes in and says they never received a particular treatment,” says Judith Waltz, co-chair of the life sciences industry at Foley & Lardner, LLP, in San Francisco. And there are other obvious signs, such as the same patient presenting two consecutive days with inconsistent ailments, or a patient whose profile indicates that he or she is 85 years old but who presents as a 40 year old seeking Percocet.


0 comments on “Tip: Staff training is critical in preventing identity theft and complying with FTC 'Red Flags' rule


Most Popular