What Is The Red Flags Rule in Healthcare?
In medical settings, victims of identity theft can face devastating consequences including financial loss and delays in treatment. In an effort to fight growing concerns about identity theft in all areas of business, the Federal Trade Commission (FTC) and other government agencies issued a set of regulations, referred to as the Red Flags Rule, in 2007.
The regulations require businesses to have a written identity theft prevention program (ITPP) in place to spot (or “flag”) suspicious patterns of activity that might indicate attempts at illegally accessing personally identifying information (PII). We’ll discuss the meaning of a red flag, rules and regulations related to flagged behavior, and the four steps you can take to comply with this federal law.
Purpose of the Red Flags Rule in Healthcare
The rule, published in the Code of Federal Regulations Title 16, is designed to prevent and mitigate identity theft. It states that certain businesses have a duty to identify, detect, and respond to identity theft attempts.
When the rule is applied to healthcare, sometimes harmless activity triggers a flag that must be investigated, resulting in increased operations costs or potential delays in care. Of course, its effectiveness really depends on how well a given facility or healthcare entity identifies risks and implements its prevention plan.
History of the Rule
The Fair and Accurate Credit Transactions Act, passed in 2003, requires certain government agencies to take a closer look at the problem of identity theft. In response, the FTC published a new set of identity theft prevention regulations.
Because of pushback from various groups, including physicians and healthcare institutions, the FTC was unable to enforce the regulations for several years. The Red Flag Program Clarification Act of 2010 narrowed the scope of the laws and clarified who, exactly, was subject to them, and in 2011 the FTC started enforcing the new regulations with penalties and fines.
Does the Red Flag Rule Apply to All Healthcare Facilities?
The rule applies to many (but not all) healthcare facilities, with regulations addressing two categories of businesses: financial institutions and creditors. Healthcare facilities are considered creditors if they provide services and collect payment at a later date or over an extended period of time.
There are some facilities that are exempt from the rule. For example, a small clinic that doesn’t offer payment plans may not be considered a “creditor” as defined by the Act.
Are There Other Red Flags in Healthcare?
The red flags of identity theft prevention are not the only red flags you’ll encounter at your facility. You may be familiar with the red flag warnings built into your facility’s electronic health records (EHRs). These warnings pop up when an inconsistency, discrepancy, or potential risk (like unsafe discharge from the hospital) is identified and needs to be addressed.
In addition to the FTC’s rule meant to prevent identity theft, there are red flags that alert stakeholders in the healthcare industry to instances of possible fraud and abuse, such as:
- Billing irregularities.
- Unbundled services (services that should be grouped are invoiced separately).
- Markedly low numbers of incident reports.
- Consistently late submission of insurance claims.
How to Comply With the Red Flag Rule: 4 Steps
Failing to comply with these regulations could result in damage to your facility’s reputation, fines, or lawsuits from individuals who have been affected. While compliance efforts involve upfront work and expenses, they’re vital for protecting PII. If your facility has measures in place for safeguarding your patient’s information, you’re already on your way toward meeting federal standards.
The Red Flags Rule requires the establishment of an ITPP, and the FTC outlines a four- step process for compliance. The program that your facility has in place should be capable of all four steps.
1. Identify the Red Flags Relevant to Your Organization
The FTC identifies five areas covered in the Red Flags Rule, along with examples of each. However, the warning signs that your facility identifies will be unique to the systems you have in place.
The ways you handle confidential patient information, your method of billing patients, and your admissions process all relate to the Red Flags Rule. Examples of suspicious behavior commonly seen in healthcare include:
- A mismatch between a medical record and the patient’s appearance/symptoms.
- An inquiry from a patient about a bill for a treatment that they never received.
- A patient’s refusal to provide backup documentation for an insurance card.
- A notice from an insurance fraud investigator.
2. Detect Red Flags as They Arise
Use appropriate tools, systems, and resources to detect suspicious behavior. This might take the form of specific software to monitor financial transitions, or a policy for authenticating the insurance cards that your patients provide.
3. Respond to Suspicious Behavior
Your program should outline the actions you’ll take when a red flag is detected, such as gathering evidence, reporting the incident, notifying the individuals involved, and following up in ways that prevent and mitigate identity theft.
4. Update the Program Regularly
Technology changes at a rapid pace, and your program will need to stay up to date to remain effective. In addition to evolving technology, consider changes to your facility’s operations, like new ownership or partnerships with other providers.
Stay Informed About the Latest Healthcare Regulations
Healthcare regulations, like the Red Flags Rule, impact your facility’s day-to-day operations, from billing and administrative work to direct patient care. Want to stay on top of the latest rules? Get up-to-date healthcare management insights delivered regularly.