About Us Management Profiles Privacy, Security & Compliance Careers

Payment Advisor Suite Address Checker Predictive Intelligence Dashboard Return Mail E-Learning Collection Performance Advisor <<<<<<< inside.dwt

Press Releases Case Studies Published Articles Awards and Honors Analyst Reports Upcoming Events Media Kit

Red Flag Rules Compliance Now Standard Part of Revenue Cycle Operations

By Bruce Nelson, Vice President, SearchAmerica, A part of Experian

Hospitals are working diligently on their programs to comply with the new Identity Theft Red Flags and Notices of Address Discrepancy from the Federal Trade Commission (FTC) to combat identify theft at their facilities. However, as the details of their programs are being evaluated many questions arise:

-          Will our proposed program create too many false positives or ‘red flags’ that we cannot manage appropriately?

-          How should the collection of patient demographic information alter our program?

-          Should a red flag account be identified at patient registration or during the billing and collections processes following services?

Providers Have Assumed More Responsibility

The Red Flag Rules require healthcare organizations to properly identify patients in order to protect their identity. The FTC assures the healthcare community that the Red Flag Rules should not prevent any organization from providing medical services to a patient. Instead, they have placed another layer of responsibility onto providers.

Some in our industry have referred to this new regulation as an “unfunded mandate” which obligates hospitals and clinics to proactively identify ID theft triggers based on FTC criteria. This new criteria may cause unnecessary triggers due to routine patient interaction. For example: a patient calls and states “I have never been to your facility.” This fairly routine event according to the FTC is a Red Flag rule trigger. In this situation, after researching, the patient had a specimen taken at their doctor’s office which was later ran at the hospital’s lab thus creating a false positive Red Flag trigger.  

Most Medical ID Theft Risk is Internal

Medical ID theft most often results from internal misuse of patient or guarantor information. This shouldn’t be surprising. Retailers have known for decades that most of their shoplifting incidences occur not from its shoppers, but its employees. Hospitals are not immune to this phenomenon.

The Red Flag Rules do require internal controls over staff and preventive steps to reduce the number of Red Flag alerts and identity theft cases for a hospital before they occur.

Storing photocopies of government IDs such as driver’s licenses and Social Security cards within patient files is currently commonplace. These files can be accessible by all individuals participating in the care of the patient, including lab technicians, nursing staff, physicians, physical therapists, pharmacists and pharmacy technicians, among others.  However these can be the information sources needed by identity thieves to perpetuate their crimes. This process requires review to ensure appropriate controls are in place to eliminate the temptation by internal staff.

A recommended solution to prevent internal misuse of patient information would be to automate the demographic validation process. This involves utilizing state of the art identity verification workflow and storage solutions. Access would be controlled by user security and passwords.

Red Flags Will Be Numerous Under Current Processes

Creating too many false positives is a justifiable concern by all healthcare providers. Many every day billing questions and occurrences could be used alone to identify a Red Flag account, but would create dozens or hundreds of red flag accounts each day – the vast majority of these would not be true instances of identity theft.

For example, if a patient arrives at the Emergency Department (ED) without documentation, should this be considered a red flag account?

The answer is not a simple yes or no, but an assessment of the demographics and what is considered normal for each facility. For example, if a facility serves a large immigrant population it will not be uncommon to encounter patients in the admissions process without documentation. In this case, this alone shouldn’t constitute a Red Flag as it would create too many false positives and become burdensome for the hospitals and its patients. Instead, Ms. Lefkovitz recommends adding other criteria that would identify a Red Flag, such as billings returned to the provider by the post office as undeliverable.

The FTC is advising each provider to assess its patient populations and identify potential red flag criteria that are too commonplace to be considered an anomaly. Instead the FTC is advising providers to  develop multiple criteria that must be encountered before identifying it as a red flag.

A few examples of common billing questions that may prove to be a false positive red flag are:

-          Billing Inquiries:

o        Patient claims to never have been at the hospital

o        Patient claims to have never received the medical service on the bill

o        Dispute of a bill based on claim of identity theft

o        Mail sent to patient repeatedly returned as undeliverable despite ongoing transactions on active account

-          Clinical Identifiers:

o        Medical services are inconsistent with a diagnosis

o        Allergies listed on chart are disputed by patient

-          Admissions Alerts:

o        Patient provides insurance number but provides no insurance cards

o        Lack of correlation between Social Security number range and date of birth

o        Repetitive address or phone number supplied by multiple patients on financial assistance applications

o        Personal information inconsistent with information already on file

Steps to Improve Compliance

Until the Identity Theft Red Flags and Notices of Address Discrepancy, most hospitals discovered identity theft cases after medical services were rendered and the patient released. This unfortunate discovery resulted in unrecoverable expenses. Now not only will there be a loss in revenue, but potential government fines if processes are not in place and used consistently. The following are recommended steps that hospitals can use to mitigate their risk and improve their compliance with recent regulations:

Step One: Be Proactive

The FTC has mandated providers to become both proactive and reactive in their approaches. Historically this has not been the case, and hospitals have followed-up on accounts only when their traditional billing and collection efforts failed.

Emphasis needs to be on the prevention of Red Flag instances.

To do so, providers need to establish new controls. First, they need to dramatically limit access to SSN and other patient identification information to internal and third party (e.g., collection agencies) to prevent internally generated cases. Minimizing the internal theft of medical IDs will have the most significant impact on reducing both red flag instances and losses from identity theft.

Secondly, patient folders need to be stripped of all mentions and photocopies of government IDs. This includes folders for new patients, recurring patients, and former patients.

Step Two: Involve Other Departments

Securing patient information cannot be achieved by finance and administration alone, executives are required to monitor the Red Flag Program periodically. However, other departments need to become actively involved in the process. The following are just a few examples:

Human Resources. For hiring, payroll, credential validations, and other activities performed by this group, human resources staff have access to the identification (SSN, driver’s license number, etc.) needed by identity thieves. Hospitals need to be sure this information is secure and accessed only by those that need it.

Likewise, as they hire, they should pay attention to any background checks that include identity theft citations or convictions. These individuals need to have very strict controls on their access to patient information, or no access at all, and have their activities monitored frequently.

Human Resources is usually vital in setting up permissions and access to a providers facility and systems. Administration should team with this department to create access controls that are consistently and appropriately maintained, at hiring and throughout a staff member’s employment.

Lastly, as hospital personnel are oriented to the provider’s policies in training sessions, they need to become aware of the Red Flag Rules and, if appropriate, their role in compliance. This will specifically impact registration and billing staff, but all hospital staff should be aware of the need for strict controls over patient identification information.

Healthcare Information Management (HIM)/Medical Records. This department is critical for proactive reduction in identity theft and compliance with the Red Flag Rules. Its staff must work with finance and administration to identify new user permissions and controls to protect the electronic storage of government IDs in patient folders (until removed) and the secure database where they will reside. They should also review their current procedures used to detect misuse of passwords that have access to identification information.

In addition, patient folders contain identification information that will need to be removed. Medical Records is critical to performing this task as they are knowledgeable in where this information resides within the folders for current patients and in historical records that may be accessible to staff. This department is instrumental in developing the plan that will govern the information in new patient folders as well as how to ‘clean’ existing and former patient documentation.

Step Three: Develop Industry Best Practice

Virtually all hospitals must comply with the Identity Theft Red Flags and Notices of Address Discrepancy.  Providers should team together to share their programs and aid one another in developing best practices for those serving similar patient demographics.

Your Red Flag Policy should reflect a strong due diligence process with a goal to decrease premature filings. The following are some examples of industry best practices that hospitals are considering and/or including in their Red Flag Rules programs:

Red Flag Policy Triggers:

• Differing Information. Management will be immediately notified when personal information provided by the patient is inconsistent with current patient information residing in its systems.
• Altered Documents. Management will be immediately notified if a patient’s identification documents appear to have been altered.
• Unauthorized Charges. Management will be immediately notified when the hospital is advised of unauthorized charges applied to bank or credit/debit card accounts from their organization.
• Fraud Alert. If a fraud alert is associated with a patient account, the information must be verified with the guarantor or disregarded if unable to validate.

Proactive Protection of Patient Accounts:

-          Website. All patient websites or portals containing patient information must be password protected.

-          Phone Inquiries. Date of birth or a SSN of the account guarantor will be verified on all inbound phone calls requesting account information.

-          Statements. Requests for medical documents and/or patient statements will only be sent to the address on record for the guarantor.

-          Physician/Health Provider Requests. These offices will be provided an identification code that will be required when requesting account information.

-          Name and Address Changes. A photo ID (for in-person requests) or the patient’s date of birth and/or SSN (for phone requests) is required to change the name and/or address on a patient’s account.

Payment/Refund Controls:

-          Credit Card Payments. All payments given via phone will require the 3-4 digit identification number located on the backside of the credit card.

-          Refunds. All patient refunds will be mailed to the address of the guarantor or refunded to the original credit/debit card used for payment.

Policy Changes:

-          Updates to the Red Flag Program. Management will periodically update its Red Flag Rules program based on its experience with identity theft, new methods of identity theft are discovered, and the availability of new solutions to detect, prevent, and mitigate identity theft. 

For information from the FTC on the Red Flag Rules, visit www.ftc.gov, call (202) 326-3058, or email your questions to redflags@ftc.gov. 

LATEST NEWS

SearchAmerica unveils next-generation service to help hospitals better control patient receivables and increase collections
June 14th, 2010

SearchAmerica Adds new service to help hospitals better manage financial health
May 13, 2010

SearchAmerica HFMA Sunspots Newsletter Article
February/ March 2010

SearchAmerica Releases Touchette Case Study
January 30, 2010

Search America Wins 2009 Tekne Award
October 29, 2009

SearchAmerica Unveils Five E-Learning Modules for Health Care
October 8, 2009

Universal Health Services (UHS) Implements Efficient and Financially Advantageous Process for Rising Self-pay Patient Population
August 20, 2009

SearchAmerica President, Daniel Johnson, Named Ernst & Young Entrepreneur Of The Year
June 30, 2009

SearchAmerica Releases Red Flags Rule Sell Sheet for Compliance and Legal
June 24, 2009

Experian Acquires SearchAmerica
December 2008

UPCOMING EVENTS

Innovations '10 for Healthcare IT Siemens Customer Education Symposium
Gaylord Palms Hotel and Conference Center
Orlando, FL
August 8 - 11, 2010

Maryland AAHAM Chapter
Clarion Hotel,
Ocean City, MD
September 14 - 16th, 2010

NAHAM-NE
Holiday Inn
Stamford, CT
October 18 - 19th, 2010

2010 HFMA Region 9 Conference
Sheraton New Orleans Hotel
New Orleans, LA
November 14 - 16, 2010

Webinars

Predict Cash Collections with Confidence
July 29, 2010 1:00pm CST

REGISTER HERE

More event details