Red Flag Rules for Healthcare Providers

Applicability

• The Red Flags Rule applies to those health care providers who are considered "creditors"---meaning they regularly bill patients after medical services are provided, including medical fees not reimbursed by insurance---and if they have "covered accounts," or allow multiple payments from patients. If a health care provider requires prepayment or payment at the time of service, or only accepts direct payment from medical benefits providers and the patient pays no fees at all, then it is not considered a creditor.

Written Policy

• Affected health care providers must develop a written Identity Theft Prevention Program to detect red flags that might indicate identity theft. This program must identify the types of red flags particular to the practice, explain the process for detecting them, describe the steps that will be taken to respond to red flags and detail how the provider will update the program to keep it current.

Enforcement Deadline

• Although the Red Flags Rule became effective on January 1, 2008, the Federal Trade Commission has extended the deadline for enforcing it to December 31, 2010. This will give health care organizations more time to review their billing procedures and determine whether they are creditors with covered accounts and therefore must comply.

Red Flags and Responses

• Examples of red flags include an address that does not match one already in the system, a document that does not look authentic and a patient with no knowledge of his insurance company information. Sometimes the response will be to ask for additional identification or information. Other times the red flag will be elevated to a higher level and a particular procedure, as defined by the health care provider, will be implemented.