The following is an article I wrote regarding the “Red Flag Rule” for Long Term Living Magazine. While the focus is to prevent fraud, resident privacy will likely be enhanced as well.
Effective May 1, the Federal Trade Commission’s ‘Red Flags Rule’ will take effect. The rule is intended to help reduce situations involving identity theft and protect consumers’ sensitive information that could be fraudulently used. In looking to facilities with access to patients’ financial information, the government hopes these facilities can help identify and respond to situations involving potential identity theft before serious identity theft problems occur.
Particularly in the long-term care setting, the act is intended to reduce medical identity theft—when a person’s name and insurance information is used without consent to obtain or make false claims for goods or services. It is also in the best interest of the facility to identify suspicious activity on accounts in order to minimize the amount of ‘write-off’ losses.
Examples of potential situations that should trigger the ‘red flag rule’ inquiry by a facility:
· Questions from someone other than the patient himself regarding a bill
· Obviously incorrect addresses and telephone numbers
· Suspicious activity relating to a patient account
· Insurance claim information that does not correspond to a resident’s name and account
Who does the Red Flag Rule apply to?
This broad-based act applies to all entities considered to be a ‘creditor’ under FTC guidelines. All nursing homes and long-term care facilities are impacted by the act because they extend credit to residents regarding payment for services.
The act defines creditors as: ‘[A]ny person who regularly extends, renews, or continues credit; any person who regularly arranges from the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”
How can a facility comply with the rule?
The rule requires facilities to have ‘reasonable’ policies and procedures in place to protect patient information. In the long-term care setting, compliance with the rule is much easier than a high volume physician’s practice. In fact, most facilities would likely be in compliance with the rule if they have a few simple steps in place for new admits to their facilities, such as:
* Train staff how to identify medical identity theft red flags
* Institute policies to verify patient identity
* Assign a staff member to investigate episodes involving discrepancies involving patient information
* Keep resident’s vital information off of as many documents as possible
* Alert authorities of suspicious circumstances
The implementation of basic security precautions should eliminate their liability relating to the safeguarding of residents’ privacy. Only in situations where facilities ‘knowingly’ violate their policy would a penalty be dispensed. The act allows penalties of up to $2,500 per violation.