[AGENCY LEGAL NAME]
Policy / Program Designed to Comply with Red Flags Rule Requirements to “Detect,
Prevent, and Mitigate Identity Theft
Policy #:
Approved on: [Date]
[Items to be modified are in italics and brackets]
The Federal Trade Commission (FTC) issued a regulation referred to as the Red Flags
Rule under the Fair and Accurate Credit Transactions Act of 2003 (FACT), with a
mandatory compliance date of November 1, 2009, for providers, including home health
and hospice facilities, subject to this rule. The primary intent of the rule is to develop
and implement a written identity theft prevention program to detect, prevent and
mitigate identity theft in connection with certain patient accounts.
The Red Flag Rule applies to ___________________________ [The Agency], based on
the interpretations of the rule by the FTC. [The Agency] is committed to adhering to and
conducting business in accordance with the “Red Flags Rule” effective November 1,
2009.
Execution of this policy is consistent with [The Agency] existing HIPAA privacy and
security policies and procedures that outline the administrative, technical and physical
safeguards [The Agency] employs to ensure the security of patients’ protected health
information (PHI).
Choose one of the following:
[The Board of Directors of [The Agency] approved this Identify Theft Prevention Program
at a duty held meeting on ________________.]
[or]
[As [The Agency] does not have a board of directors at this time, a similar level of
approval is demonstrated by the adoption of these policies and procedures with the full
understanding of all levels of administration, including any physician(s) and owner(s) of
this practice.]
1. Definitions
a. “Identity Theft” means fraud committed using the identifying information of
another person;
b. “Red Flag” means a pattern, practice, or specific activity that indicates the
possible existence of identify theft.
c. “Covered Account” means any account [The Agency] offers or maintains
primarily for personal, family, or household purposes that involves multiple
payments or transactions, including one or more deferred payments. [The
Agency] has identified the following types of “Covered Accounts”:
1)
Accounts in which the patient’s responsibility is deferred until the patient’s
insurance company has adjudicated a claim;
2)
Accounts in which the patient has no insurance and arrangements are
made with the patient to pay the bill over time.
2. The purposes of the program are to:
a. Identify relevant red flags based on the risk factors associated with [The Agency]
covered accounts;
b. Institute policies and procedures for detecting Red Flags;
c. Identify steps [The Agency] will take to prevent and mitigate identity theft;
d. Create a system for regular updates and administrative oversight to the
program.
3. Identifying relevant indicators of possible identify theft (Red Flags)
The following are examples of unusual occurrences or activities monitored by [The
Agency] that may indicate potential medical identity theft. The Red Flags generally
fall within four areas: suspicious documents, suspicious personal identifying
information, or, suspicious or unusual use of covered accounts and alerts from other
sources.









Documents presented for identification appear to have been altered or forged;
Patient states that they are insured but never produces proof of insurance;
Patient medical record illustrates medical treatment that is inconsistent with a
physical exam or medical history as reported by the patient;
Patient contacts [The Agency] with a question or complaint regarding:
o Receipt of a statement or insurance notice for another person;
o Receipt of a statement or insurance notice for a product or service that the
patient denies receiving;
o Receipt of a statement or insurance notice from a provider whom the patient
denies seeing.
Patient contacts [The Agency] after receiving a collection notice from a bill
collector or patient uncovers a discrepancy on his/her credit report;
The description or photograph presented by the patient is not consistent with
the appearance of the patient or individual presenting the information;
Personal identifying information presented is not consistent when compared
against external information sources, i.e. credit reporting agency, Social Security
Administration’s Death Master File (www.ssdmf.com);
Personal identifying information provided is inconsistent when compared with
other personal identifying information provided by the patient, i.e. a lack of
correlation between social security number and date of birth;
Patient billing statements or other information sent to the patient is repeatedly
returned as undeliverable.
4. Detecting “Red Flags”
In order to facilitate detection of the types of relevant indicators of possible identity
theft (Red Flags), [The Agency] may take the following steps to obtain and verify the
identity of the person.
a. New Patient Accounts At Start of Care
1) Required identifying information such as: full legal name, date of birth,
address, driver’s license or government identification card, or passport,
Medicare or insurance card, or Medicaid forms (as appropriate).
2) When possible, verify the information provided by the patient regarding
insurance coverage.
3) [If credit check is performed by [The Agency], mention it here.]
b. Existing Patient Accounts
1) Verify validity of requests for changes of billing address.
2) Verify identification of patients prior to divulging any personal information to
him/her.
5. Preventing and Mitigating Identity Theft
To the extent possible, [The Agency] will take reasonable steps to prevent and
mitigate identity theft. If potential fraudulent activity is detected by [The Agency],
appropriate actions will be taken which include but are not limited to the steps
outlined in Attachment A of this policy.
[The Agency] will notify the patient in writing of possible unauthorized use of their
personal identifying information. The letter will be mailed to the patient via
certified USPS mail, return receipt requested. The letter will state the reason [The
Agency] feels the patient may be victim to identity theft and the recommended
steps the patient should undertake. (See sample letter to patient)
Should [The Agency] confirm that medical identity theft has occurred, [The Agency]
will:
1. If requested to assist with law enforcement notification, contact the appropriate
law enforcement agency to report the identity theft and arrange for meeting
with patient;
2. Prepare a written, detailed report of the identity theft detection and follow-up
for inclusion with the client’s report to law enforcement;
3. strive to remove all inaccurate information from the client’s record in the
agency’s records. Any purged information will be placed in a new, separate
chart that will be filed as a “Jane Doe” or “John Doe” if the identity of the
individual committing the fraud is not known. Otherwise the chart will be
labeled with the correct patient name. The new chart, regardless of whether the
individual committing the fraud is know, will be cross-referenced with the theft
victim’s original chart for accuracy and audit purposes.
4. Notify any treating physician(s) of the occurrence so that the medical record can
be reviewed and updated per the physician’s policy.
5. Prepare a complete written report of the response and mitigation steps taken
for inclusion in the agency’s red flags rule plan; such reports to be reviewed by
the governing authority during plan review.
6. Program Administration
The [Insert appropriate individuals (e.g. designated employee, committee, privacy
office, compliance officer, manager)] of [The Agency] is responsible for developing,
administering and updating the program. All employees of [The Agency] will receive
periodic training on the importance of the program and it’s applicability to [The
Agency].
7. Updating the Program
The [Insert appropriate individual(s) of[The Agency]] will periodically review the
effectiveness of the program and update the program to reflect the addition or
removal of covered accounts and changes in risk to patients / covered account
holders from identity theft.