Mar 7, 2011 – The Federal Trade Commission has once again pushed back the deadline for compliance of the Red Flags Rule until December 31, 2010.

In Nov. 2007, the Federal Trade Commission issued a set of regulations, known as the “Red Flags Rule,” requiring the implementation of written identity theft prevention and detection programs to protect consumers from identity theft. Unlike HIPPAA privacy regulations intended to protect medical privacy, the red flag rule is concerned with financial security. More specifically, and as defined by the FTC, a red flag is a “pattern, practice, or specific activity that indicates the possible existence of identity theft.”


The red flag rules require that practices provide policies and procedures to:

  • Identify relevant red flags
  • Detect red flags in patient accounts.
  • Respond appropriately to any red flags detected in patient accounts.
  • Ensure the program is updated periodically to reflect changes and remain compliant

Despite the American Medical Associations efforts to exempt physicians from the rule, the FTC has determined that medical practices are frequently considered “creditors” as they regularly bill patients after the completion of services. Only cash-only practices requiring upfront payment and not maintaining patient balances would be exempt from the Rule.

If your practice is behind in developing a compliance procedure for the new Red Flags Rule, time is running out. PGM a full service Medical Billing Company has developed a few simple steps to help you get started.

Check every patient’s ID. Before making a copy of the driver’s license or government-issued ID card, take a closer look and make sure the photo and information match your patient, and that it hasn’t expired. And if the address on the card doesn’t match the one the patient gave you, ask questions, says Barry Herrin, an attorney and partner at Smith Moore Leatherwood LLP, which focuses on healthcare law and policy.

Look out for suspicious activity. What if a patient gives you insurance information over the phone, but can’t produce the card in person? That seems strange. Or the medical record doesn’t match the information a patient gives (she is a lot taller in person than her chart claims)? Also a little fishy. “You’re dealing with the subtleties of things that don’t add up,” says medical practice consultant Lucien Roberts.
Fine tune your system for interacting with patients remotely. If a patient calls to ask about her bill, ask for her driver’s license number, Herrin says, or consider having her sign and fax you a statement that you can compare with what you have on file.

Separate clinical and financial information. Herrin recommends keeping financial information in a separate and secure computer and out of the patient’s medical chart, so Social Security and credit card numbers are viewed by fewer people.

Set up a comprehensive program. Your Red Flags policy must show the procedures you’ve put in place to detect the red flags, describe how you prevent identity theft, and include details on how you’re training staff on the new procedures. It also must be approved by your Board of Directors and kept up to date to address new risks.
While the Red Flag Rule may initially seem like just one more time consuming tasks a medical practice must manage on a daily basis, the end result will be improved patient information, which will lead to more efficient medical billing, fewer denied claims and increased profitability for your practice.