“The Red Flags Rule”, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft” as stated by the FTC.
Basically when a person seeks health care services using someone else’s name and insurance info, is what is called identity theft.
“Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.
On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.
The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.” as stated by the FTC.