Red Flag Rules — With a Little Help From Our Friends

By Frank Nuck, Financial Control Solutions

If someone warns you of a “red flag,” the first thing the statement causes you to do is attend to it. Right? Red flag! Warning! Caution! Heed! Alert! Duck! And take action!

The Red Flag Rules (the “Rules”) is an anti-fraud regulation requiring creditors and financial institutions with covered accounts to implement programs to identify, detect and respond to the warning signs — “red flags” — that could indicate identify theft. The Rules require implementation of an Identity Theft Prevention Program (hereinafter, “ITPP”). Financial regulatory agencies and the Federal Trade Commission (FTC) developed the Rules, which were mandated by the Fair and Accurate Credit Transactions Act of 2003. Under that Act, a “creditor” is defined as any entity that regularly extends or renews credit or arranges for others to do so, and includes all entities that regularly permit deferred payments for goods or services. Note that on or about July 29, 2009, the FTC, via a news release, said it will delay enforcement of the Red Flag Rule — as applied to the health care industry — until November 1, 2009. The release states that the purpose is to give the FTC additional time to “redouble its efforts” to educate and assist entities regarding compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether a given business is covered by the Rule and the nature of compliance.

Since the AMA previously failed in its challenge to permit physician’s practices to be excluded from the Rules, this article assumes that physician practices must be included and are “creditors” with “covered accounts” under the Rules. A practice that accepts only cash or credit card payments, as well as those that only accept direct payments from Medicaid or similar programs where the patient has no responsibility for fees, should be excluded. As an editorial observation, when it comes to whether or not to comply with a program for the Rules, err on the side of implementation, since FTC studies indicate that medical-related ID theft is a real and growing threat to both your patients and the public at large. Compliance with the Rules does not appear as burdensome as compliance under other regulations controlling medical practices, and such regulations governing ID theft and security will only exacerbate. Surprise.

At a basic level, all the Rule is telling a medical practice to do is to take action, per your ITTP, when certain events, identified in the ITTP, occur. By now, there have been just enough announcements, notices and trade press to trigger consternation over compliance, but not enough to eliminate concern about all necessary elements of compliance, which will only become evident over time. The sources traditionally sought for help, such as the FTC Red Flags website (, offers resources to support compliance, including an online template to help entities design their own ITTP as well as articles, guidance manuals and FAQs to help navigate the rules.

Again, this article is written to emphasize that in an ever-burgeoning regulatory environment, you may seek to place additional requirements on certain vendors, i.e, those handling your patients’ medical ID information, for protection. A given vendor might/should implement its own ITTP in order to be “another set of eyes” watching for red flags related to your patients’ medical ID information. After all, they benefit from supplying goods and services to your practice.

This concept is already in play by virtue of HIPAA, and the notion of requiring certain vendors to enter into Business Associate Agreements in order to protect patient confidential information(HIPAA vs. the Rules, see Inset No. 2). The issue is a bit more subtle, yet no less salient, when applied to compliance of the Rule. Under HIPAA, “business associates” of “covered entities” are required to maintain confidentiality of patient health information. However, vendors such as billing services and collection agencies, to date, are not required by statute to implement a Rules program. Our position is that, as a matter of quality control as it applies to the Rules, a practice should at the very least inquire as to how certain vendors implement their own ITTP that will help protect both the practice and its patients — and perhaps require that they do so.

In general, quality control programs of any sort focus on reduced error rates in order to increase quality. Error rates in any system may be reduced through redundant action. That is, if a particular action results in a human error rate of one in 100 and cannot be further reduced through automation, then if a next actor were to review the exact same action with the same likelihood of error, mathematically, the error rate drops to one in 1,000 (by multiplying the coincident error rates). Obviously, the fact that a given vendor does not mirror your practice’s actions while implementing given regulatory controls makes the application of the above principal less than exact. However, the mere fact that the vendor is also looking at red flags that involve your patients does enhance an overall identity theft prevention system — both internal (endogenous) and external (exogenous).

If we assume that conscripting your vendors to add to the wall of protection of medical ID theft is a good idea, then what should they be doing for you to help protect your operation? We are not suggesting that they either consult or give legal opinions as to the Rules and your practice, but rather to simply inquire into, or audit, a vendor’s own QC controls involving the Rules. The following is an example of questions to ask a billing service or collections vendor when auditing their coverage or the Rules as applied to them:

  • Has your organization implemented an Identity Theft Prevention Program comporting with federal Red Flag rules? If so, is it in writing?
  • If so, does it identify a clear program purpose and definitions, and could you have a copy of the program?
  • Does it identify at least the five primary categories of red flags?
  • Does it identify actual red flags that are subsumed under those categories and apply to their business?
  • Does it include a training program, and if so, how is training evidenced?
  • Is there a prevention (not just reactive) program in place, and how is the program reviewed?

Attempting to meet the letter of every rule, regulation, letter opinion, announcement, declaration, interpretive ruling and the amendments thereto leaves virtually all health care providers with a “Hobson’s Choice” of sorts: Either obey, or be subject to sanction. Since the likelihood of the first option, if not impossible, certainly gives infinity a run for its money, most practices are left with the second — and assuming this deduction is correct, is there any solace?

The short answer is decidedly “yes” as it applies to the Rules, since the complexity or scope of an ITTP can be scaled to the risk and size of the particular health care provider, a rational notion not seen in every regulatory imperative (which harks back to the initial lines of this article). It appears that while there are stated requirements — such as, identify red flags to be detected, detect the red flags presented, respond appropriately to mitigate and further prevent theft and ensure periodic program updates — no one can possibly anticipate the infinite iterations of aberrations in day-to-day activity, documentation and communications in order to capture them in a written program.

To clarify, a “red flag” to a theft of identity is some event, document, information or attempted transaction that should alert the practice that someone is not who he or she claims to be. Suggested instances triggering red flags could be:

  • An unrecognized individual, who refuses to provide information related to their identity but is seeking service. Note: As an agency, we recently received an inquiry by a medical provider client as to whether they could require that a patient provide a Social Security number. The short answer is “no.” The interesting issue is whether or not such failure in itself would constitute a “red flag,” triggering further inquiry and a need to look to the ITPP for procedural guidance;
  • A patient individually falsely claiming to be someone else known to the office staff;
  • An individual who is unable or unwilling to provide contact information;
  • Documents that appear to have been altered or that do not match the person presenting the information;
  • Altered or cancelled insurance cards; Any form of notice stating that a patient’s information or identity may have been stolen;
  • A notice that the patient is on active duty in the armed forces;
  • Address discrepancies in consumer credit reports;
  • Disputes about bills by a patient claiming to be a victim of ID theft;
  • Undeliverable mail or returned checks;
  • Requests for a prescription or refill that does not comport with either past practices involving that patient or know instructions to that patient;
  • Any past security breaches involving an inquiring patient, e.g., if there had been a prior computer database-related breach of information;
  • Discrepancies between purported medical records and the patient’s physical condition.

Complying with the Rules is a “vigilance thing.” There is no way to identify all possible red flags beforehand, so recognizing a discrepancy in procedural expectations or documentation is the last bastion of hope to investigate whether it is related to medical ID theft. Unlike HIPAA, which requires the execution of Business Associate Agreements to protect certain information, we are suggesting that a practice consider requiring certain vendors to implement their own ITPP, which they may not be required to do under the Rules, but which they may do at your behest.

Frank Nuck has authored other articles for M.D. News related to electronic check collection and remote check deposit as the industry winds to a paperless office. For more information, e-mail or visit Financial Control Solutions’ website at