All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Identity theft: Could it happen in your office?
1. Identity theft: Could it happen in your office?
By Marty Krawczyk
Under new regulations, medical practices must take steps to prevent identity theft
The Federal Trade Commission (FTC) Red Flag Rules, which went into effect on November 1,
2008, are part of the government’s continuing efforts to curtail the rise in identity theft. The
Red Flag Rules apply to “creditors”—including physicians—and provide guidance for establishing
protocols to detect, prevent, and mitigate identity theft.
Recognizing that physicians and others might need additional time to comply with the specific
provision for developing and implementing a written identity theft prevention program, the FTC
has granted a 6-month “delay of enforcement”—until May 1, 2009—for this part of the rules
only. To avoid penalties for noncompliance, physicians and practice administrators should start
developing and implementing such a program now.
Why does this apply to you?
If you regularly extend, renew, or continue credit —that is, you don’t demand immediate
payment for medical goods and services—the FTC considers you a creditor. Furthermore, if your
patients have accounts with you, and the potential for identify theft exists, you are subject to
the Red Flag Rules.
2. the Red Flag Rules.
If you ask for credit reports on prospective patients, or if you issue credit or smart cards to
patients, you are also subject to the Rules. For example, the Rules require that if you receive a
change of address notice from a patient, you cannot issue a new card until you verify the
change of address.
What’s the risk?
In a healthcare setting such as a medical practice, a substantial amount of patient financial and
medical information is accessible to employees and other physician practices, hospitals, and
vendors. Medical identity theft occurs when someone uses another person’s name, insurance
information, or Social Security number (SSN) to obtain medical services or goods, or files false
insurance claims and falsifies medical records to support those claims.
Identity theft affects everyone and has a significant impact on patient care and safety. A
catastrophic event could result if the physician bases treatment on falsely provided medical
information. From an economic perspective, the cost of medical identity theft is huge and
growing.
What is an identity theft prevention program?
Although all identity theft prevention programs share certain characteristics (such as being
written documents), they vary in size and complexity depending on your practice, the scope of
its activities, and the potential risk for identity theft. For example, a solo practitioner in a rural
area who knows all of the residents of the community by sight would have a different program
than a 50-physician group practice in a large, urban setting.
If you already have policies and procedures in place to comply with the Health Information
Portability and Accountability Act, you can include them as part of your pro-gram, in addition to
any strategies you currently use to verify patient identity. The World Privacy Forum
( www.worldprivacyforum.org) has developed samples and information to help healthcare
providers understand and develop an identity theft prevention program. Be sure to have legal
counsel review the written document to ensure that you fully comply with all provisions of the
Red Flag Rules, including the following elements:
Assessing risk factors
Identifying “Red Flag” sources
Establishing procedures for detecting red flags
Training staff
Updating the program
Preventing and mitigating identity theft
Administering the program
Assessing risk factors
3. Assessing risk factors
The financial impact of identity theft can be substantial. A patient with stolen photo identification
and insurance cards may not be detected until treatment is completed and the real insured
patient is billed. For the financial stability of your practice, you and your practice executives
should carefully review your procedures and processes to identify points in the patient/practice
encounter where you can recognize identity theft and take appropriate action.
Your identity theft prevention program should include measures for protecting patient accounts
and financial information. You should identify the “red flags” that alert you to breaches in
security. Practices that use electronic medical records (EMR) systems can limit access to
sensitive financial information by implementing security parameters such as password protection
and audit trails. Securing access to financial information found in paper charts is much more
challenging.
Do not forget to assess the risk to your practice as well. Include red flags that can indicate
potential theft of practice-related information, including bank account numbers, signatures, tax
identification numbers, and the SSNs of physicians and staff.
Identifying red flag sources
If you have had prior experience with patient- or practice-related identity theft, you’ve probably
examined how it happened, what could have alerted the staff to it, and what should be done to
avoid a recurrence. This information can be the starting point for your identity theft prevention
program under the new rules.
First, identify points where the potential for false identity can occur, beginning with the new
patient intake process. Potential red flags that warrant action by staff include the following:
Do the patient’s identification documents appear altered or forged?
Are there inconsistencies between verbal and written (documented) information?
Is the patient’s SSN listed on the Social Security Administration’s Death Master Registry?
The guidelines also call for monitoring the security of existing accounts, such as your patient
financial records. For example, if a patient notifies you of a possible identity theft, you should
have policies and procedures in place to note this in the chart, EMR, and billing records.
Other possible sources for red flag activity include the failure to enforce password sharing rules,
and procedures for releasing medical records to the patient, hospitals, and other physicians.
Establishing procedures
Once you’ve identified potential red flags, you should document and establish procedures for
detecting them. For example, in your new patient intake process, you may develop a checklist
that prompts staff to ask for and provides guidelines for examining identifying information such
as a driver’s license, identification card, passport, or other government-issued photo
identification.
4. Some practices have begun asking patients for permission to take a photo that is added to the
patients’ medical records to aid staff in future identification. Photocopying the patient’s
identification may also be helpful.
You should also have policies and procedures for securing your practice’s financial information.
Limit access to information about the business side of the practice, including employee records
and salaries.
Training staff
Training is critical for an effective identity theft prevention program. Staff and physicians should
know what the red flags are and how to respond appropriately. They must understand the
seriousness and the impact of medical identity theft. Periodic training will keep everyone alert
and active in preventing potential liability and loss of practice revenue.
Updating the program
Methods of identity theft are constantly evolving. Review and update your program regularly.
New business arrangements (mergers, alliances, or changes in provider arrangements) should
trigger a review and update. Although the guidelines do not define how frequently you should
update your program, a quarterly review by practice physicians and staff would be beneficial.
Preventing and mitigating identity theft
If an identity theft situation occurs, you should have procedures in place for responding to the
breach in security. The detection of red flags or any unusual activity related to patient records
must be brought to the attention of a physician or senior level manager who can determine
what action to take. In some cases, for example, you might contact the patient directly, notify
law enforcement, close a patient record and create a new one, change passwords, and/or
change security codes to prevent future identity theft.
Administering the program
The responsibility for administering the program depends upon the legal entity of the practice.
For example, in an incorporated medical practice, the board of directors or executive committee
would be responsible; in a sole proprietorship, the physician or a senior level management
employee would be the administrator. Consult your legal advisor on this issue.
Avoid penalties by acting now
The new rules require you to have a written identity theft prevention program; under the Fair
Credit Reporting Act, you could face monetary penalties if you don’t comply. Because programs
are developed based on risk and flexibility, the FTC will determine whether you’ve made a good
faith effort to comply. From a practice management best practices standpoint, an identity theft
prevention program can protect both patients and the practice from significant harmful effects.
Marty Krawczyk, a practice management coordinator in the AAOS practice management group,
can be reached at krawczyk@aaos.org