When Rob Douglas, editor of IdentityTheft.info, spoke to health care providers last fall, he mentioned the approaching deadline for the Red Flags Rule. Douglas expected to get knowing nods, but was greeted with blank stares instead. Then the panic set in.
"A number of us were contacting the Federal Trade Commission (FTC) and saying, you really have a fiasco on your hands here," Douglas said. With the threat of an uproar, the agency pushed compliance from Nov. 1, 2008, to May 1, 2009. When April 30 rolled around, another delay was announced. Enforcement is now slated for Aug. 1.
If the Red Flags Rule is news to you, you've got some catching up to do. Here's what's up with the crackdown on ID theft.
Are You Affected?
The Dangers of Medical Identity Theft
Identity theft is the fastest growing crime in the U.S., and it doesn't just yield a bad credit report, according to Brian Lapidus, chief operating officer, fraud solutions division, Kroll. The health effects of medical identity theft can be far more costly and challenging to resolve.
"It's a real mess to clean up a blended record," Lapidus said, which occurs when a thief's medical information winds up in the victim's file. The mix-up can put a patient at risk for medical errors, especially if they're unaware of any improper access.
The crime can also bar victims from the care they need. If a thief maxes out a patient's coverage, the victim may have trouble making their next appointment, Lapidus said.
The Red Flags Rule aims to protect personal information from nefarious use, whether the threat is internal or external. Published in the Federal Register, the regulation notes five categories and 26 flags that organizations must address, when applicable, in a written plan. Flags range from noting an address matches one listed on a fraudulent document to alerting supervisors when a patient suddenly has suspicious account activity.
The rule applies to any business or institution that extends credit -- and that's where it gets confusing. "Credit" includes billing for payment at a later date, Douglas said, so health care providers fall under the umbrella. It's a broad definition, and many organizations outside financial services aren't aware they must comply.
"My fear is there is still a substantial percentage of health care providers who do not know they're affected," Douglas said.
He recalled the frantic e-mails he received from health care executives a month before the initial compliance date. They had no idea if the rule applied to them or what to do if it did.
Most health care providers are affected by the rule, but there are a few exceptions, according to Nancy Davis, MS, RHIA, director of privacy/security officer, Ministry Health Care, Sturgeon Bay, WI. "You have to be a provider that sets up covered accounts offering installation payments," she explained.
Free clinics and cash-only surgical centers, therefore, may be exempt.
In HIPAA's Shadow
HIPAA compliance gives health care organizations a leg up in preparing for the Red Flags Rule. Employees are already used to monitoring and protecting private information, so keeping things like names and social security numbers under wraps won't be much of an adjustment. On the other hand, the 26 flags are more complex than many providers may anticipate, according to Douglas.
"Identity theft Red Flags Rules are challenging to work through," he said. "It's certainly not something that should be left to the last second."
The Red Flags Rule sets goals and tells organizations what risks to consider, but specific policies are up to the individual provider. That's a blessing and a curse, Douglas said. Small practices may find they don't have to make too many adjustments; large facilities, on the other hand, may have a lot of planning and training to do.
In addition to outlining a written strategy for preventing identity theft, hospitals must "tweak" the policy and have it reviewed by executive management on a regular basis -- mostly likely once a year, Douglas said.
With health care organizations already making changes to meet new HIPAA provisions in the American Recovery and Reinvestment Act (ARRA), privacy and security officers will have a lot on their plates. According to Douglas, organizational adjustments to HIPAA may actually be easier than the planning and widespread changes required by the Red Flags Rule.
"This is going to be a multi-step process for any institution of any size," he said.
Davis also noted the dual enforcement of upcoming HIPAA changes and the Red Flags Rule. ARRA/HITECH may overshadow Red Flags changes, she said, but an effective privacy and security plan will find the regulations complementary. "Anything you do with the Red Flags Rule will certainly help your compliance for ARRA," she said.
When developing her organization's written plan for the Red Flags Rule, Davis used preexisting HIPAA policies as a foundation. The plan even includes attachments to related privacy guidance, including business associate agreements, so staff can cross-reference. "We wanted to take advantage of what we already had in place," Davis said.
A Plan of Action
Privacy vs. Security
Health care organizations often throw privacy and security in one bag, but there's a difference, according to Lapidus. HIPAA policies keep providers focused on privacy, but that doesn't mean records are secure.
Lapidus was alarmed when he visited a patient and saw medical records stored in slots outside the patients' rooms. The files were closed, so they were technically private, but the placement left them vulnerable to theft. "I could have pulled those records and had access to any data I wanted," he said.
It may require a "cultural shift," but institutions should put greater emphasis on security, according to Lapidus. "[If] it's part of your routine, the organization fares far better," he said.
In preparing for the Red Flags Rule, privacy and security officers can lead the charge. They can get started by reading the regulations outlined in the Federal Register and identifying areas where the organization is at risk for medical identity theft -- in other words, figure out which flags they need to adopt in their written policy.
Though it's not required by the rule, education can be the key to a successful Red Flags program. Davis noted the following "high-risk" areas for targeted education and awareness:
- patient registration
- patient accounting or billing
- risk management
- privacy and security officers
- patient advocates
- accounts payable
- release of information
In addition to educating professionals in those departments, the entire facility should be notified about the Red Flags plan. At Ministry Health Care, new hires learn about identity theft prevention during orientation, and Davis frequently posts articles about the topic on the organization's Intranet.
Douglas said every employee should be on the lookout for potential cases of identity theft, and not just from the outside. Insiders, like registration clerks and other staffers who handle private health information, can also pose a threat. Douglas has noticed a number of breaches that involved hospital employees stealing patients' information. He advised providers to focus on protecting information from all fronts.
The final rule doesn't specify what will happen to providers who aren't ready by Aug. 1. It's unclear how the FTC will check compliance, and penalties have yet to be defined. With that in mind, Douglas still urged health care organizations to ensure their policies are in place by the deadline. The FTC will likely target facilities that have a significant breach or history of identity theft, he said, but it's best to be prepared. "I wouldn't want to be the institution that ends up being the guinea pig," Douglas added.
Regardless of the penalties, Red Flags guidance will provide a good resource and a strong defense against medical identity theft, according to Davis. It not only prepares employees for responding to an incident, but also reinforces patients' trust in the facility. "We need that kind of awareness," she said. "We have to be good stewards of our patient information."
Cheryl McEvoy is an editorial assistant with ADVANCE.