Red Flag Rule Takes Aim at Medical Identity Theft

LYNNE JETER

Red Flag Rule Takes Aim at Medical Identity Theft | Medical identity fraud, Red Flag Rule, HIPAA, Lisa Asbell, Identity Theft Resolutions, David Williams, HORNE LLP, GodwinGroup, U.S. attorney David Fulcher, Charles Kennedy, Morrison & Foerster LLP

Healthcare Providers Must Be in Compliance by May 1

In Jackson, Miss., the office manager of a physicians' practice quietly went on a spending spree. She had plastic surgery done, dined at the finest area restaurants, bought a hot tub and then an RV, and spent big bucks on other luxury items that eventually totaled $120,000.

Today, she's serving three years in federal prison, paying restitution, and faces three years of supervised release after completing her sentence.

What happened? The office manager slyly opened unauthorized credit card accounts for the clinic, using the doctors' personal information to establish credit and authorizing herself as a user. When the credit cards arrived by mail, she discarded all but hers.

"This was an unusual type of medical identity, but fraud all the same," said assistant U.S. attorney David Fulcher.

Epidemic

Identity fraud is the fastest-growing type of white-collar crime in America. Medical identity theft is the fastest-growing type of identity fraud, having mushroomed more than 400 percent in 2008.

Medical identity fraud typically takes place when a person's name and parts of their identity—insurance information, for example—are used to acquire medical goods or services without that person's consent, usually because the criminal needs treatment or is uninsured. This type of deception often results in erroneous entries being placed in existing medical records and may involve the creation of false medical records in the victim's name.

"What every practice should know about identity theft and the related laws is that being compliant with HIPAA isn't enough," said Lisa Asbell, RN, president of Identity Theft Resolutions in St. Petersburg, Fla. "There are other federal identity theft related laws that apply to every medical clinic and facility in the United States."

New Mandate

Aimed at thwarting medical identity fraud, the new Red Flag Rule under HIPAA requires mandatory compliance by healthcare providers—which the FTC labels as creditors—to have an Identity Theft Prevention Program in place by May 1.

"The financial ramifications of your patient's information being lost or stolen could be devastating to even the most successful practices," said Asbell. "Did you know that a medical insurance card can sell on the black identity theft market for up to $500 each? Did you know that a patient's chart is worth $100,000 to an identity thief? It doesn't matter how the thieves get the info, your facility can still be held liable if you don't comply with the laws."

In a white paper prepared by Charles Kennedy, an attorney specializing in communications law in the Washington, DC office of Morrison & Foerster LLP, and a professor at the Columbus School of Law, the new Red Flag regulations are among the most important privacy initiatives in years. "The Red Flag Regulations: A New Front Open in the War on Identity Theft," published when the FTC originally scheduled the new regulations to take effect on Nov. 1, 2008, noted the Red Flag guidelines require each program, which must be reflected in written policies and procedures, to include risk assessment and red flag identification and response.

David Williams, CPA, FHFMA, a healthcare partner for HORNE in the Jackson, Miss. office, explained the Red Flag guidelines can be broken down into three categories:

Red Flags that definitely apply to healthcare:
  • Documents provided for identification appear altered or forged.
  • Photographs or a physical description on file are not consistent with the appearance of the patient.
  • Other inconsistent information identifies the patient.
  • Inconsistent signatures are on file.
  • Patient forms or applications appear forged, altered, or destroyed and re-assembled.
Red Flags that may apply to healthcare:
  • Statements sent to the patient or guarantor are returned as un-deliverable despite ongoing transactions on active records.
Red Flags that most likely do not apply to healthcare:
  • A fraud alert is included with a consumer report.
  • A consumer reporting agency provides notice of a credit freeze in response to a request for a consumer report, a notice of address discrepancy, and/or unusual credit activity.
  • Financial institutions and creditors use challenge questions that the person opening the covered account cannot answer with readily available information.
  • A request is made for new, additional or replacement cards or the addition of authorized users on the account shortly after a change of address request.
  • A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns.
  • The use of a covered account is inconsistent with established patterns of activity on the account.
  • There is unexplained usage of a covered account that has been inactive for a reasonably lengthy period of time.


Administering an Identity Theft Prevention Program requires board approval, staff training, and ongoing oversight.

"It's important for entities to have their corporate compliance officer be aware of these regulations and implement policies that address key provisions," Williams said.

Fortunately, the Red Flag regulations provide creditors with a great deal of discretion in identifying the threats they must address and the appropriate preventive measures.

Damages

The FTC may impose civil money penalties of up to $2,500 per violation. Also, state Attorneys General have the authority to enforce the rules and may recover damages up to $1,000 for each willful or negligent violation, plus reasonable attorney fees. And even though the act does not authorize private individuals to bring an action to enforce the Red Flag Rule, a person harmed by identity theft may be able to bring an action against a health center under state law.

"Even if you outsource your compliance, it's not enough," said Asbell. "Most compliance software cannot meet your needs for complying with the new legislation. You need to retain a specialist in the area of identity theft to conduct the training and provide the documentation that is required. Your attorney might help with documentation, but he can't provide the specialized training that your employees need."