Beginning August 1, the Federal Trade Commission (FTC) will begin enforcing a rule requiring certain kinds of businesses, including doctors’ practices and hospitals, to develop written plans for identifying and responding to warning signs – red flags – of identity theft. And while many health care providers view the “Red Flags Rule” as another time-consuming, expensive federal mandate they have to follow, pediatricians who have prepared for it say it need not be either.

More than 8.3 million Americans are victims of identity theft each year. Of that, the FTC estimates 4.5%, or 373,000, experience medical identity theft – someone pretending to be another person in order to use that person’s health insurance.

Steven Kern, a partner in the law firm Kern Augustine Conroy & Schoppmann P.C. in Bridgewater, N.J., explains that compliance with the rule requires a program that will identify and detect relevant red flags, and mitigate the consequences of identity theft if it does occur. In addition, red-flag programs must be updated periodically and be approved by the business’s board of directors, shareholders, or – as is the case with most medical practices – senior partner. Businesses found not complying with the rule could face fines or other civil penalties.

Warning signs of identity theft
The FTC, in its guidelines for complying with the rule, lays out four general categories of warning signs of identity theft. These include: alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious forms of personal identification; and notifications from customers, victims of identity theft, or law enforcement authorities about possible identity theft.

The commission’s recommended steps for preventing or mitigating theft include increased monitoring of customer accounts and account numbers to prevent misuse, contacting the payer or law enforcement agencies if theft is suspected, tightening database security, or a combination of these steps.

Naomi Lefkovitz, an attorney in the FTC’s division of privacy and identity protection, says businesses do not need to submit their plans to the commission. “If we are called in to investigate a case of identity theft, at that point we would probably ask to see the written program,” she explains.

Modifying HIPAA
For Pediatrics Associates, a 130-physician, 21-office practice headquartered in Lauderdale Lakes, Fla., preparing for the Red Flags Rule has been largely a matter of modifying its existing policies for guarding patient privacy under the Health Insurance Portability and Accountability Act (HIPAA). “We have a number of verification processes in place already,” explains C. “Rocky” Slonaker, MD, the practice’s compliance officer. “We’re just trying to tweak that a little, and maybe add some additional metrics to enable us to meet the requirements of the law.”

Slonaker says staff members are instructed to request a patient’s name, date of birth, address, and a driver’s license number for a parent or guardian when bringing a child for care. “We don’t always get a driver’s license, so as part of this [Red Flags] policy we’re now requesting the Social Security numbers of the parent or guardians. If they won’t give us the complete number, we ask for the last four digits and explain it’s a way of protecting their account.”

In the practice’s Red Flags training, staff members are taught to recognize common warning signs of identity theft, such as documents that look like they’ve been altered, or personal information that doesn’t match with what’s on file. They are also taught to notify a supervisor if they suspect identity theft. “It’s basically just more formalized training of what we’ve already been doing,” Slonaker explains.

“It’s not uncommon for us to get complaints about identity theft,” he adds. “Because we’re in pediatrics we get pulled into a lot of custody battles, with one parent trying to restrict the other’s access to insurance. And because we’re a larger organization we already have administrative functions in place, so complying isn’t a huge reach for us.”

Slonaker learned of the rule in late 2008 from a compliance e-newsletter. “In general I don’t think the communication about this has been very good. All the information I’ve received is because I’m a compliance officer. But I could see where this could easily slide under the radar of a smaller practice.”

Improving patient care
Anjali Baxi, an attorney with Health Care Law Associates law firm in Plymouth Meeting, Pa., notes that improved patient care is among the benefits of reducing identity theft. “If someone comes in to a doctor pretending to be someone else and is treated for a disease the true patient never had, and later on the true patient is treated for something, it could pose a real problem in terms of the treatment the true patient receives.”

Janet Compagna, practice administrator with Pediatric Healthcare Associates, a 22-physician practice with six offices in Fairfield County, Ct., says she first learned about Red Flags during a Medical Group Management Association (MGMA) webinar early in the year. She developed a program by adapting a template the practice’s law firm had developed to the practice’s own needs.

“Your first reaction when you hear about it is ‘This is more work, and who’s going to do it?’” Compagna recalls. “But once you start peeling back the layers of that onion, I think you’ll find that these rules really are just an enhancement of HIPAA. If you have a good HIPAA program in place, you don’t have to start from scratch.”

Medical societies protest rule
Following the lead of the American Medical Association, more than two dozen medical societies, including the American Academy of Pediatrics (AAP), have protested the FTC’s decision to apply the Red Flags rule to medical practices, on the grounds that the law which produced the regulations was meant to apply “creditors” such as financial institutions, automobile dealers, and utility companies. In December 2008, the AAP began publishing articles about the rule and its application to members’ practices in the AAP News.

Compagna at Pediatric Healthcare Associates says implementing a Red Flags program wound up being less work than she feared. “A lot of the things involved in complying are just common-sense things we are doing already,” she explains. “It’s just a matter of writing them down and expressing to the staff verbally and writing what the expectations are. At the end of the day it wasn’t as overwhelming as we first thought it was going to be."