Red Flag Rules — With a Little Help From Our Friends

By Frank Nuck, Financial Control Solutions

If someone warns you of a “red flag,” the first thing the statement causes you to do is attend to it. Right? Red flag! Warning! Caution! Heed! Alert! Duck! And take action!

The Red Flag Rules (the “Rules”) is an anti-fraud regulation requiring creditors and financial institutions with covered accounts to implement programs to identify, detect and respond to the warning signs — “red flags” — that could indicate identify theft. The Rules require implementation of an Identity Theft Prevention Program (hereinafter, “ITPP”). Financial regulatory agencies and the Federal Trade Commission (FTC) developed the Rules, which were mandated by the Fair and Accurate Credit Transactions Act of 2003. Under that Act, a “creditor” is defined as any entity that regularly extends or renews credit or arranges for others to do so, and includes all entities that regularly permit deferred payments for goods or services. Note that on or about July 29, 2009, the FTC, via a news release, said it will delay enforcement of the Red Flag Rule — as applied to the health care industry — until November 1, 2009. The release states that the purpose is to give the FTC additional time to “redouble its efforts” to educate and assist entities regarding compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether a given business is covered by the Rule and the nature of compliance.

Since the AMA previously failed in its challenge to permit physician’s practices to be excluded from the Rules, this article assumes that physician practices must be included and are “creditors” with “covered accounts” under the Rules. A practice that accepts only cash or credit card payments, as well as those that only accept direct payments from Medicaid or similar programs where the patient has no responsibility for fees, should be excluded. As an editorial observation, when it comes to whether or not to comply with a program for the Rules, err on the side of implementation, since FTC studies indicate that medical-related ID theft is a real and growing threat to both your patients and the public at large. Compliance with the Rules does not appear as burdensome as compliance under other regulations controlling medical practices, and such regulations governing ID theft and security will only exacerbate. Surprise.

At a basic level, all the Rule is telling a medical practice to do is to take action, per your ITTP, when certain events, identified in the ITTP, occur. By now, there have been just enough announcements, notices and trade press to trigger consternation over compliance, but not enough to eliminate concern about all necessary elements of compliance, which will only become evident over time. The sources traditionally sought for help, such as the FTC Red Flags website (, offers resources to support compliance, including an online template to help entities design their own ITTP as well as articles, guidance manuals and FAQs to help navigate the rules.

Again, this article is written to emphasize that in an ever-burgeoning regulatory environment, you may seek to place additional requirements on certain vendors, i.e, those handling your patients’ medical ID information, for protection. A given vendor might/should implement its own ITTP in order to be “another set of eyes” watching for red flags related to your patients’ medical ID information. After all, they benefit from supplying goods and services to your practice.

This concept is already in play by virtue of HIPAA, and the notion of requiring certain vendors to enter into Business Associate Agreements in order to protect patient confidential information(HIPAA vs. the Rules, see Inset No. 2). The issue is a bit more subtle, yet no less salient, when applied to compliance of the Rule. Under HIPAA, “business associates” of “covered entities” are required to maintain confidentiality of patient health information. However, vendors such as billing services and collection agencies, to date, are not required by statute to implement a Rules program. Our position is that, as a matter of quality control as it applies to the Rules, a practice should at the very least inquire as to how certain vendors implement their own ITTP that will help protect both the practice and its patients — and perhaps require that they do so.

In general, quality control programs of any sort focus on reduced error rates in order to increase quality. Error rates in any system may be reduced through redundant action. That is, if a particular action results in a human error rate of one in 100 and cannot be further reduced through automation, then if a next actor were to review the exact same action with the same likelihood of error, mathematically, the error rate drops to one in 1,000 (by multiplying the coincident error rates). Obviously, the fact that a given vendor does not mirror your practice’s actions while implementing given regulatory controls makes the application of the above principal less than exact. However, the mere fact that the vendor is also looking at red flags that involve your patients does enhance an overall identity theft prevention system — both internal (endogenous) and external (exogenous).

If we assume that conscripting your vendors to add to the wall of protection of medical ID theft is a good idea, then what should they be doing for you to help protect your operation? We are not suggesting that they either consult or give legal opinions as to the Rules and your practice, but rather to simply inquire into, or audit, a vendor’s own QC controls involving the Rules. The following is an example of questions to ask a billing service or collections vendor when auditing their coverage or the Rules as applied to them:

  • Has your organization implemented an Identity Theft Prevention Program comporting with federal Red Flag rules? If so, is it in writing?
  • If so, does it identify a clear program purpose and definitions, and could you have a copy of the program?
  • Does it identify at least the five primary categories of red flags?
  • Does it identify actual red flags that are subsumed under those categories and apply to their business?
  • Does it include a training program, and if so, how is training evidenced?
  • Is there a prevention (not just reactive) program in place, and how is the program reviewed?

Attempting to meet the letter of every rule, regulation, letter opinion, announcement, declaration, interpretive ruling and the amendments thereto leaves virtually all health care providers with a “Hobson’s Choice” of sorts: Either obey, or be subject to sanction. Since the likelihood of the first option, if not impossible, certainly gives infinity a run for its money, most practices are left with the second — and assuming this deduction is correct, is there any solace?

The short answer is decidedly “yes” as it applies to the Rules, since the complexity or scope of an ITTP can be scaled to the risk and size of the particular health care provider, a rational notion not seen in every regulatory imperative (which harks back to the initial lines of this article). It appears that while there are stated requirements — such as, identify red flags to be detected, detect the red flags presented, respond appropriately to mitigate and further prevent theft and ensure periodic program updates — no one can possibly anticipate the infinite iterations of aberrations in day-to-day activity, documentation and communications in order to capture them in a written program.

To clarify, a “red flag” to a theft of identity is some event, document, information or attempted transaction that should alert the practice that someone is not who he or she claims to be. Suggested instances triggering red flags could be:

  • An unrecognized individual, who refuses to provide information related to their identity but is seeking service. Note: As an agency, we recently received an inquiry by a medical provider client as to whether they could require that a patient provide a Social Security number. The short answer is “no.” The interesting issue is whether or not such failure in itself would constitute a “red flag,” triggering further inquiry and a need to look to the ITPP for procedural guidance;
  • A patient individually falsely claiming to be someone else known to the office staff;
  • An individual who is unable or unwilling to provide contact information;
  • Documents that appear to have been altered or that do not match the person presenting the information;
  • Altered or cancelled insurance cards; Any form of notice stating that a patient’s information or identity may have been stolen;
  • A notice that the patient is on active duty in the armed forces;
  • Address discrepancies in consumer credit reports;
  • Disputes about bills by a patient claiming to be a victim of ID theft;
  • Undeliverable mail or returned checks;
  • Requests for a prescription or refill that does not comport with either past practices involving that patient or know instructions to that patient;
  • Any past security breaches involving an inquiring patient, e.g., if there had been a prior computer database-related breach of information;
  • Discrepancies between purported medical records and the patient’s physical condition.

Complying with the Rules is a “vigilance thing.” There is no way to identify all possible red flags beforehand, so recognizing a discrepancy in procedural expectations or documentation is the last bastion of hope to investigate whether it is related to medical ID theft. Unlike HIPAA, which requires the execution of Business Associate Agreements to protect certain information, we are suggesting that a practice consider requiring certain vendors to implement their own ITPP, which they may not be required to do under the Rules, but which they may do at your behest.

Frank Nuck has authored other articles for M.D. News related to electronic check collection and remote check deposit as the industry winds to a paperless office. For more information, e-mail or visit Financial Control Solutions’ website at

Check Deposits at the Speed of Light

By Frank Nuck, Financial Control Solutions

So the mail just arrived and a large stack of checks is staring at you, just being to be taken to the bank. Only it’s mid-January in Wisconsin, it’s been snowing for eight straight hours, and there is no way you want to go outdoors, especially to fight traffic and the weather just to go to your local friendly bank (they’re nice, but not that nice) just to deposit checks. Unfortunately, the other stack of paper staring at you, are your bills, so suit up and go. How bad can it be?
But what is you could deposit those checks from the warmth and protection of your office? No weather, no wear and tear on your vehicle, no hourly labor just for the trip, no potential theft, or heaven forbid, the threat of car accident. With a recent change in federal banking regulations, you can do just that.

Up until about two years ago, non-retail operations were not permitted to electronically deposit checks from their office. Scanning checks per se is not new. The national Automated Clearing House (ACH) system has provided an electronic highway for checks as well as other automated payment related transactions for many years now. It took a change in federal regulations, however, to allow general business offices to take advantage of the highway for check deposit. The question is whether it makes sense for your office, and the first place to look may be your bank statement (the challenges of Wisconsin winters not withstanding)

Generally speaking, when you set up your banking relationship, you knew that you would be paying baking fees, though most people when asked would be hard-pressed to remember what exactly they pay on a monthly basis. And different banks fee their customers differently. In fact, I would wager that if you pulled your last checking account statement analysis – if you actually receive one – how you are charged and what you are charged may be anything but clear. Besides, if you are paying $.12 per check and $.35 per deposit, how costly can it be? On the other hand, if you could reduce those costs while eliminating the trip to the bank and have your checks clear in no more than 24 to 48 hours, why wouldn’t you?

“Accounts Receivable Conversion” (ARC) is the jargon used by the regulatory body that governs the ACH system – National Automated Clearinghouse Association – that refers to converting the paper check into electronic text capable of being sent through the ACH system. This process should not be confused with the so-called “Check 21” legislation that took effect this year and requires banks to utilize an infrastructure different from that provided by NACHA.  Check 21 (the “Check clearing for the 21st Century Act”), spawned by the holdup-in check transfer that occurred when federal aircraft were grounded following 9/11, transfers images rather than text. As an aside, people are still speculating whether Check 21, which provides for faster check clearing, will require more, less or the same fee structure as accompanies the use of the current NACHA system.

ARC is a very straightforward technology and application. Utilizing software accessible by your PC, your office would simply scan checks to create a batch, run a tape total to match the batch total, press a button and zap. Your check information is digitized and routed through the ACH system. In some systems, once you enter your patient information the first time, then every subsequent time you scan a check, you only need to key in the date and amount. No bank trips. No deposit slips. Rapid clearing. And, depending upon compatibility, you may be able to import the check data into your billing system.

Cost-justifying ARC is highly idiosyncratic to a particular office. A full-blown analysis should examine quantitative issues such as your current banking fees, labor costs for preparing deposit slips and bank-trip charges, all of which should be properly burdened with real overhead numbers. You can imagine that the comparative cost structure is significantly different if your office is upstairs from your bank, or if you have to drive through a gauntlet of terrain and traffic obstacles to get to the bank, or if your offices are large with a corresponding burden rate. However, the cost justification should be relatively straightforward once you can decipher your actual banking costs.

Given the advent of Check 21, there is more uncertainty about the future of banking-related fees and banking-related activity, but also more options. ARC can provide a cost-effective alternative to your current check management methods while offering the speed promised through Check 21.

For more information about Remote Deposit Checking, contact Financial Control Solutions.