Medical Identity Theft Policies Required for Most Health Care Entities

The Federal Trade Commission has adopted rules that go into effect November 1, 2009, requiring creditors (any entity that sells goods or services to a customer/client/consumer and allows the customer/client/consumer to pay for the goods or services at a later date) to establish policies and procedures to thwart identity theft.

As with HIPAA privacy rules, there is no private right of action for failure to adopt an identity theft protection program. However, the FTC has enforcement powers and can respond to a complaint and impose a maximum fine of $3500 for non-compliance.

Respond to “Red Flags”. An Identity Theft Policy is intended to respond to “Red Flags” which should alert covered entities to make “appropriate responses” that prevent and mitigate identity theft.” For health care providers, appropriate responses might include responding to identity theft alerts from law enforcement agencies or others, monitoring patients' covered accounts, contacting patients when questions or concerns arise regarding access to their account, changing passwords or security codes, refraining from collecting on an account or selling an account to a debt collector, refusing to provide continued services, refusing to provide copies of records or notifying law enforcement as appropriate.

“Red Flags” may include:

1. Records showing medical treatment that is inconsistent with physical examination or medical history as reported by the patient.

2. Records showing substantial discrepancies in age, race, and other physical

descriptions.

3. Questions raised by a patient about an explanation of benefits for services that the patient never received.

4. Dispute of a bill by a patient who is the victim of financial forms of identity theft.

5. Any formal dispute of services or goods rendered by a provider who is given the specific reason of medical identity theft as the reason for the dispute.

6. Blood type discrepancy.

7. Third party payer information cannot be verified.

8. Documents that appear to be altered or forged.

9. Information is provided that is different from information already on file.

Currently, patients who are the victims of medical identity theft face difficult challenges in disputing claims and bills that other individuals posing as them have created. It is not unusual for health care providers that have turned identity theft victims over to a collections process to refuse to discuss the case with the victim. Meanwhile, collection agencies often refuse to believe the victim or acknowledge the possibility of medical identity theft, even if there is solid and well-documented proof of victimization, or the existence of other documentation that exonerates the victim. Thus, when there is a dispute arising on the credit report due to an uncollected health care provider debt, the victims in these cases often cannot get the disputed claim removed.

If a Red Flag arises in the context of a patient visit, other than in an emergency situation, patient services could be denied pending satisfactory explanation of the Red Flag

MEDICAL IDENTITY THEFT PROTECTION POLICY

It is the policy of ______to detect the theft of medical information whenever possible in connection with the delivery of efficient, quality health care services.

  1. When a third party payer card is presented by a patient, a photo identification card (or other identification if the patient does not have a photo identification card) shall be requested to verify identity of the covered individual presenting the card. Such identity matching shall be required for any extension of credit, unless the person requesting credit is known personally to be the individual in whose name and account is established.
  1. All medical personnel treating patients shall be alert for inconsistencies in medical information indicated in any prior medical records and the information given by the patient upon current treatment or indicated from results of medical testing. For example, records showing medical treatment that is inconsistent with physical examination or medical history as reported by the patient, records showing substantial discrepancies in age, race, and other physical descriptions or blood type discrepancy
  1. The business office shall be alert to claims of persons who call or present claims of not having received medical treatment for which they have been billed. If an account is referred for collection, the claims of those who allege theft of medical identity shall be thoroughly investigated.
  1. The business office will periodically check with the local police identity theft specialist for any identified areas which may relate to medical information theft.
  1. The business office submit a report on the application of these policies on an annual basis to the chief financial officer who shall make a report to the Board on the ______Medical Identity Theft Policy.

Courtesy of Irwin Venick, Attorney at Law

Dobbins Venick Law Firm

Legal counsel for TPCA

10-22-09