Don’t Brush Off the Red Flags Rule
by Cheyenne Brinson, MBA, CPA
KarenZupko and Associates, Inc.
The enforcement of the Red Flags Rule has been postponed - yet again - until January 1, 2011. However, implementing an identity theft prevention program in your practice is good business practice.
The heart of the Red Flags Rule is to verify that a patient is who they claim to be. The easiest way to verify a patient’s identity is to check their photo identification (i.e. driver’s license or state issued ID). Many practices are already doing that! If not, it’s easy to implement – simply have your front desk receptionist request a photo ID along with the insurance card when a patient checks in. She should ensure that the two match. What’s the danger of not checking IDs? Assume that Sally is recently uninsured. She has fractured her wrist and needs surgery. She does not have the cash to pay for the surgery and so she “borrows” her sister Sara’s insurance card. Or worse, she “borrows” her neighbor’s insurance card without her neighbor's knowledge. This is happening all over the United States. In fact, medical identity theft is the fastest-growing form of identity theft in America today - accounting for three percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005, according to the Federal Trade Commission. That number is predicted to be much higher now.
Why wait until this becomes law? Even if it doesn’t become law, as the AMA has filed a lawsuit to exclude physicians from the Red Flags Rule and there is legislation introduced to this extent, protect your practice today! Implement an Identity Theft Prevention Program. To download a FREE sample Identity Theft Prevention Program, please visit: http://www.karenzupko.com/resources/forms.html
Frequently Asked Questions
Question: What do I do if a patient doesn’t have an ID or gets upset that they must show an ID?
Answer: Explain to the patient that we are doing this to help them – we want to be sure that someone else isn’t using their identity. As for patients without a driver’s license, we can ask for other forms of ID – like a state issued ID card, a voter’s registration card, etc. The KZA sample policy includes a list of acceptable IDs.
Question: Can we keep a copy of our patient’s ID, like their drivers license, on file in our practice management system?
Answer: Yes. As long as you are HIPAA compliant, you may scan the ID obtained into your practice management system. In fact, we recommend this so that you have a baseline to compare identification to the next time the patient comes in. Plus, it’s documentation that you verified the patient’s identity. Some practices are opting to take a picture of the patient. That works too.
Question: What do we do with credit card information we have for patients on payment plans or for our cancellation policy?
Answer: You want to keep written authorizations for up to 18 months, in case a patient disputes the charges. However, you must keep those documents secure. Keeping those documents in a locked drawer and limiting access to staff who only need it is key.
Question: Our practice obtains social security numbers (SSN). Can we still do this?
Answer: Absolutely! There are patients who are reluctant to give out their social security number. However, for anyone who has ever turned over a patient to collections, you understand the value of having a social security number. For insurance patients who refuse to give their SSN, you may want to consider collecting full payment up front. In essence, we are extending credit to the patient – that is why we need their SSN.
Question: We keep credit card information in our practice management system including the credit card number and expiration date. For the Red Flags Rule, can we still keep this information?
Answer: As long as your practice management system is PCI compliant, then all is well. Any system that houses cardholder data must be vetted by the card associations to verify compliance with PCI. If your practice management system has completed their PCI compliance, they should have a certificate of validation from Visa. For more information on PCI compliance, contact your credit card processing solution or Brian Bickel at Solveras Payment Solutions at brian@Solveras.com
Reference:
1. Federal Trade Commission. “FTC Releases Survey of Identity Theft in the U.S. Study Shows 8.3 Million Victims in 2005.” November 27, 2007. Press release.
Author Contact Information
Cheyenne Brinson, MBA, CPA
Consultant and Speaker, KarenZupko and Associates, Inc.
625 N. Michigan Avenue, Suite 2225, Chicago, IL 60611
(312) 642-5616 ext 220
cbrinson@karenzupko.com