The Red Flags Rule to Protect Against Medical Identity Theft

Nurse checking patient in at computer clinic lobby
Hero Images/Getty Images

The health care industry is not exempt from the consequences of identity theft. Medical identity theft occurs when someone presents someone else's name or insurance information for the purpose of receiving health care.

According to a report from the Federal Trade Commission (FTC), close to 5 percent of incidents involving identity theft are in the form of medical identity theft. The damages of medical identity theft can be devastating to both the victim and the health care provider.

Victims of medical identity theft can find themselves left with incorrect information in their medical records and expenses they never incurred. Health care providers may be left with a large number of unpaid bills.

The Red Flags Rule to Spot Identity Theft in Healthcare

On August 1, 2009, the FTC began to enforce the Red Flags Rule requiring businesses including health care providers to develop a program to spot the "red flags" of identity theft. Under the Red Flags Rule, organizations are required to develop a process to identify, detect, and prevent identity theft. The FTC also advises organizations to keep their Red Flags program current.

When implementing your program, keep these in mind.

  • Identify: Be alert for suspicious documents or personal identifying information that appears to be altered or is inconsistent when compared to other information provided by the customer.
  • Detect: Obtain and verify identification when making changes to account information.
  • Prevent: When the risk of identity theft is suspected, take steps to prevent further incidents.
  • Update: Periodically evaluate your program and make necessary changes.

It is very important to get a copy of a patient's insurance and identification cards each and every time they present for services. This will help to prevent instances of fraud.

Actions to Take When Medical Identity Theft Is Suspected

If it is brought to your attention that your patient may be a victim of identity theft, there are several things that the medical office can do.

  1. View the medical records to identify any inconsistencies in the patient chart when compared to other dates of service. Verify the identification cards received and compare them against each other. If the patient's height or weight does not match or any other identifying characteristics, this is a clue that there may be foul play. Be sure to remove the incorrect information from the patient's account including diagnosis, procedures, and charges to ensure accuracy.
  2.  For any debts associated with identity theft, you may not report this debt to credit reporting companies.
  3. Medical identity theft should be reported to the police.
  4. Ensure your data security practices are compliant with the information safeguard provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Patient information should be secured and protected from data breaches.
  5.  If a breach occurs, be sure to notify patients of the data breach as required by the HIPAA Breach Notification Rule or as mandated by state law.
Was this page helpful?