Practice Management Alert

Test your identity theft prevention skills with these questions.

Even though the Red Flags Rule enforcement did not go into effect on June 1 as anticipated, you should still be up to speed on protecting your patients (and your office staff) from identity theft. Practices should be doing what they can to put Red Flags Rule into practice as soon as possible for this protection and not wait for the enforcement date.

Take this quiz to find out if you'll be ready when the rule goes into effect later this year.

Answer These 3 Red Flags Rule Questions

Question 1: What is the Red Flags Rule, and what does your office need to do to follow it?

Question 2: True or false: If your practice already abides by HIPAA regulations, you don't need to take any additional action to comply with the Red Flags Rule.

Question 3: Since Congress delayed putting the enforcement of the rule into effect, how much additional time does your office have to be in compliance?

Red Flags Rule Will Affect Every Medical Office

Answer 1: The Red Flags Rule requires businesses and organizations to implement a written identity theft prevention program that will detect the warning signs -- or "red flags" -- of identity theft in their day-to-day operations.

An article on the Federal Trade Commission's (FTC's) Web site says that "certain businesses and organizations -- including many doctor's offices, hospitals, and other health care providers -- are required to spot and heed the red flags that often can be the telltale signs of identity theft."

How it affects you: Because you bill your patients after you've rendered services and have been paid by the insurance company, your practice is a creditor under the FTC Red Flags Rule. When a patient doesn't pay you in full at the time of service and your practice waits for payment from a third-party payer, you're extending credit to the patient until the third-party payer processes the claim.

Your practice is, therefore, a creditor. That means you need to have a policy in place to identify related incidents of potential identity theft, says Jean Acevedo, LHRM, CPC, CHC, CENTC, president of Acevedo Consulting Incorporated in Delray Beach, Fla.

The Red Flags Rule requires you to develop a program within your practice that addresses identity theft prevention techniques, as well as tools to detect and deal with any identity theft incidents that may occur in your office. These rules include policies and procedures as well as personnel training in the use of these policies and procedures.

HIPAA Compliance Does Not Equal Red Flags Compliance

Answer 2: There are four areas you should focus on to be sure you're prepared for the new Dec. 31, 2010 enforcement deadline:

1. Encourage your senior staff, board of directors, and managers to create a culture of security, Acevedo says. Part of this process should be selecting an identity theft security officer in your practice. Although this does not have to be the same as your privacy officer, it is often the same person as the privacy officer, particularly in smaller practices.

2. Perform a gap analysis of how identifying information is passed and used within your practice, including all verbal, written, and electronic transfers of information. Since your practice should have done this same sort of analysis for HIPAA compliance, "as long as the infrastructure of the practice has not changed too much, practices can revisit the gap analysis they did for HIPAA, update that to remain HIPAA compliant, and then add identity theft," says Ester Horowitz, CMC, CITRMS, certified management counselor and owner/practice marketing advisor with M2Power Inc. in Merrick, N.Y.

3. Educate your employees in the areas of identity theft. "Eighty percent of identity theft has nothing to do with credit cards and credit reports," Horowitz says. Make sure your entire staff understands the impact, that "medical identity theft ... wreaks financial havoc on all parties involved," Horowitz adds.

4. Contact your practice's business associates and vendors to confirm that they are also complying with the Red Flags Rule.

Don't Be Fooled by Delay in Rule Implementation

Answer 3: "The deadline delay only means that more time is given to be in compliance," Horowitz says. But you'll still have to abide by the rules. "It is law now," reminds Horowitz. Once you have an identity theft program in place, you'll need to review the program and its effectiveness regularly. You don't necessarily have to revise your program each time you revisit it, but be prepared to make adjustments according to rule changes or factors inside your office.

Consequences: If your practice fails to meet the Red Flags Rule, you'll potentially face federal and state fines of $2500 per occurrence, civil liability of $1000 per occurrence, class action lawsuits with no statutory limitation, and settlements making your practice responsible for actual losses of the individual identity theft victim.