Tip: Institute your Red Flags program ASAP. Under the Red Flags Rule, your practice will be required to spot the "red flags" that can signal identity theft. Just last week, a Long Island medical office employee was charged with stealing patients' identities from medical files and using the information to go on a spending spree. Point of contention: In preparing their Red Flags programs, some practices plan to check patients' identification cards, and some choose to make photocopies or scan the photo ID cards to ensure that patients who present them are using their own insurance cards. However, several practices report that they've heard that they should not keep copies of patients' IDs in their systems due to privacy concerns with their HIPAA policies. Reality: In a Feb. 4 letter to the American Medical Association, the FTC noted that requesting a photo ID at patient visits is "consistent with the objectives of the Red Flags Rule." Good idea: "It is our recommendation to American Medical Billing Association (AMBA) members to have their providers check a photo ID for each encounter," suggests Cyndee Weston, AMBA's executive director. "I don't think the ID must be copied each time, but a picture in the patient's medical record for future identification purposes would be beneficial," she advises. Many providers already take a digital picture of the patient for the medical record, which is a "best practice suggestion." Remember: "Once you've copied the license or scanned it into your system, you've entered HIPAA territory" and must protect that information, says Barbara J. Cobuzzi, MBA, CPC,CPC-H, CPC-P, CHCC, senior coder and auditor for The Coding Network,and president of CRN Healthcare Solutions.