If you own or are employed by a dental practice and you are not already aware of the “Red Flags” Rule, you need to be. The “Red Flags” Rule has been in effect since January 1, 2008 and was established by the Federal Trade Commission as a means to decrease incidents of identity theft. Identity theft is a very serious problem here in the United States and as many as nine million Americans have their identities stolen each year.1 The FTC is requiring, through the “Red Flags” Rule, that all businesses and organizations that extend credit to their customers implement a written identity theft prevention plan that detects the warning signs (red flags) in their operations, details the steps that they will take to prevent identity theft, and mitigate the damages.
Do you wonder how a dental practice can be subject to this rule? According to the FTC, dental practices qualify as creditors, thus they must follow the “Red Flags” Rule. Their definition of a creditor is “broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.”2 The Rule applies to dental practices that:
- send bills to patients for services rendered
- sets up installment plan payments with patients
- uses a third party financing company for patients to pay for their services
- accepts assignment of benefits for insurance claims when the patient is financially responsible for the bill.
In addition, you may wonder why all of this is not covered by HIPAA. There are similarities between the two. HIPAA protects data security while the “Red Flags” Rule goes beyond that by requiring a specific written plan to cover additional aspects of identity theft prevention.
There are four basic elements to the “Red Flags” Rule that must be incorporated into a business’s plan:
- Identify Red Flags – Determine the procedures that you will use to identify the red flags of identity theft. These might be suspicious activities, patterns, or practices. By identifying these red flags, staff members will be better able to prevent the red flag from developing into an identity theft episode.
- Detect – The business will need to develop a written plan on how to detect the red flags that were listed in the first step.
- Prevent and Mitigate – Create a plan of action for when you detect a red flag. A business will need to do everything possible to either prevent identity theft from happening or to mitigate the effects of it if it does happen. Actions such as contacting the patient to verify information, monitoring patient accounts, possibly refusing treatment (unless professional ethics would prevent this decision), notifying
the authorities, or taking no action are the possibilites.3
- Re-evaluate – Keep your plan updated. Technologies change and thieves can change their methods. Keep your plan current by having a periodic review of the plan and have it set up on a schedule.
The ADA, in an effort to help dental practices to be compliant with the identification aspect of the Rule, has determined that the following would be red flags for a dental practice:
- An individual falsely claiming to be someone else known to the dental staff;
- An unrecognized individual with no personal identification or who refuses to provide information about their identity;
- An individual who is unwilling or unable to provide contact information;
- Suspicious documents that appear to have been altered or that contain information that does not match the person presenting them;
- Altered or cancelled insurance cards
- Attempts to submit by phone a patient’s credit card or insurance information as payment for services;
- Any form of notice stating that a patient’s information or identity may have been stolen;
- A notice that the patient is on active duty in the armed forces;
- Address discrepancies in consumer credit reports;
- Disputes by a patient claiming to be a victim of identity theft;
- Undeliverable mail or returned checks;
- Suspicious requests for a prescription or a refill;
- Any other suspicious activity in relation to patient
accounts, including evidence of security breaches (e.g. , theft of a computer containing patient information), and unusual activity in relation to such account, and;
- Discrepancies between the patient’s purported medical records and the patient’s physical condition4
The World Privacy Forum has issued their red flags for medical practices:
- A complaint or question from a patient based on the patient’s receipt of:
Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
A complaint or question from a patient about the receipt of a collection notice from a bill collector.
A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.5
- a bill for another individual
- a bill for a product or service that the patient denies receiving
- a bill from a health care provider that the patient never patronized or
- a notice of insurance benefits (or Explanation of Benefits) for health services never received.
One last area to be addressed is to check with your service providers such as credit card companies, credit organizations, third party billing companies, and dental labs to make sure that they have protections in place to guard against identity theft. Once the plan has been written it must be approved by the business owner. In addition, there must be an individual who is designated as the administrator of the plan. Lastly, training of the staff as to all aspects of your plan should take place and this should include providing them with a copy of the plan. These copies should be signed by each employee and returned to the administrator. The administrator should be responsible for maintaining the plan, ensuring that staff training has taken place, and scheduling the periodic reevaluation of the plan.
The following are a few suggestions to make your practice more compliant:
- Make a decision as to whether you will see patients without ID’s
- Photograph patients
- Consider using drivers licenses as proof of identity
- Truncate social security numbers
- Have internal access requirements for patient data and strong password management
- Apply appropriate sanctions to employees who fail to comply with privacy regulations
- Implement policies and procedures to safeguard the facility from unauthorized access
- Implement policies and procedures to detect and prevent malicious software from being downloaded on practice computers
- Offsite computer system backups
You may wonder if penalties will be imposed if a dental practice is found to be non-compliant with the Rule. There are no criminal penalties but dental practices could possibly be fined as much as $2,500.00 per violation. States may impose fines of up to $1,000.00 plus attorney’s fees, and individuals may also be entitled to collect due to damages from an incident.
Becoming compliant with the “Red Flags” Rule will incur additional costs to a business. The ADA legal staff has been in contact with the FTC and is attempting to convince them that this rule should not apply to dental practices and that the majority of dental practices have not ever dealt with any identity crisis episodes. They have also stated that this rule will place a financial hardship on practices that are already suffering from a poor economy. The response from an FTC staff member was that the Red Flags rule was “intended to be very flexible and that a Red Flags plan need only address those circumstances that a dental practice actually encounters.”6 One FTC staff member actually stated that “if a dental practice has not experienced Red Flags situations in the past, a program that simply directs dental office team members to be aware of the problem of identity theft generally and to report particular occurrences that make them suspicious will satisfy the Rule.”7
The FTC has agreed to delay the compliance deadline for the Rule till August 1, 2009. This should help practices by giving them more time to create their written plans. You can obtain more information on how dental practices can become compliant by going to the ADA website. In addition, there is word that there may be a template issued by the FTC for entities that have a low risk of identity theft such as dental practices that will help to simplify the process of compliance with the Rule. Watch for further notice on this in my upcoming newsletters. In the meantime, the ADA is still striving to exempt dental practices from the rule. You can help by notifying your congressmen that you do not agree with the FTC’s decision. We can only hope that the ADA will be successful.