Red Flags Rule - What Audiologists Need to Know

EDITOR'S NOTE: AS OF DECEMBER 2010, AUDIOLOGISTS DO NOT NEED TO COMPLY WITH THE RED FLAGS RULE. VISIT AUDIOLOGYONLINE NEWS

Introduction

For millions of people every year identity theft is more than just a threat, it is a very painful reality. Although businesses bear a large financial burden, it is the victim of the identity theft that suffers economic, psychological, and often emotional devastation. Because we are in the healthcare field and are involved with personal and protected health information, we need to be aware of the signs of possible identity theft as we go about our day to day clinical activities.

Everyone needs to take responsibility for fighting identity theft; however, because healthcare practitioners are often first to spot red flags, it is an important topic for the profession. In addition, under the Red Flags Rules, a recent federal regulation, many healthcare providers are required to spot and then heed the signs of identity theft; therefore, you may need to develop a Red Flag program for your practice to minimize identity theft. During this discussion, we will cover your responsibilities as an audiologist and provide additional resources for you if you need more information. First, we will discuss the regulatory issues and mandates of Red Flag because there are several legislative actions surrounding this particular topic. Then, we will talk about the extent of identity theft and how it has infiltrated almost every segment of our lives. Finally, we will discuss the nuts and bolts of developing a Red Flag program for your organization or practice and pointers on implementation activities.

Legislative Background

In 2003, President George Bush signed into law FACTA, the Fair and Accurate Credit Transactions Act. This law required mandatory compliance by May 2009, which was then delayed until November 2009. FACTA allows consumers to have free access to their credit report once every 12 months from each of the three nationwide consumer reporting companies: Equifax, Experian, and TransUnion. Individuals can go to annualcreditreport.com to obtain a copy of their credit report and see if someone is using their data. This act also contains provisions to help reduce identity theft such as the ability for individuals to place alerts on their credit history. As such, if somebody is looking at giving credit to an individual, they can see on that credit report any suspicious activity. Furthermore, it allows people that are in the military, for example, to put an alert on their credit card history so that suspicious activity can be detected while they are out of the country.

FACTA is follow-up to regulation that began several years ago. First, in 1998, the Identity Theft and Assumption Deterrence Act established that a person who has his or her ID stolen is a true victim and people who take fraudulent action against people regarding their identification are subject to a 25-year imprisonment and fines. In 1999, there was additional legislative activity that required businesses to initiate preventative measures against identify theft. Besides these federal legislative activities, there are also numerous state laws in effect. Every state is different; therefore, you will need to look at your particular state to see if there's anything above and beyond what we will be talking about today.

The Red Flag Rules are part of the FACTA regulations and apply to any business or individual that maintains consumer information. Professionals have to meet the required definitions that are established by the rule. In addition, the Rules mandate significant penalties for people that fail to act responsibly in securing and protecting consumer information. Violations can result in significant monetary penalties as well as significant civil liabilities for breaches that result in lost, stolen, or misuse of protected information that is legally your responsibility.

Risks can be very high. Punishment can be pretty severe; therefore, it is worthwhile to know how these particular legislative acts are going to affect us in clinical practices.

Under the definitions that are put forth by the legislation, creditors and covered accounts must develop programs to prevent, detect and minimize damage from identity theft. A creditor is defined as someone who defers payment of patient debts or accepts deferred payments for the purpose of products (e.g., hearing aids), goods or services. In other words, payment is made after the initial products were sold or service was rendered. Therefore, we are considered creditors if we bill consumers after services are completed. This is the case for reimbursement from Medicare, insurance companies, and other third parties in which the patient is ultimately responsible for what that party doesn't pay. In these cases, you are considered a creditor.

In addition, if you allow payment installments or use a credit organization in which you collect money over time, then you also meet the definition of creditor. Once that has been determined, then you have to consider if you have covered accounts. Covered accounts means you have continuing relationships with consumers for the provision of services, and there are going to be multiple payments made over time for those services.

Another definition of covered account is one where there is foreseeable risk of identity theft. For example, if you are in a business where there is a high incidence of identity theft, if you had a past experience, or if there is risk associated with accessing information in your organization and you would perceive a likelihood that identity theft would occur, you would be considered a covered account.

As an audiologist, if you meet the definition of a creditor, meaning you don't collect all the funds at the time of delivery of services and or goods, then you are going to fall under the Red Flag Rules, and, by law, you will need to develop a written program that will help you to identify and address identity theft issues in your practice. Most audiologists meet that definition and are therefore legally required to develop such a program.

Identity Theft

Over 10 million people are victims of identity theft every year. We can define identity theft as any type of fraud committed that includes using the identifying information of another person. Just like computer viruses and hackers, ID theft is something that we can never completely stop because of the nature of the way data is collected, stored, and shared in today's world, but there are several preventative methods that can be put into play.

There are a lot of reasons why people take other people's identities and a lot of different ways to use them. One reason is financing international terrorism including the 9/11 incident. Those individuals infiltrated our society as a result of stealing and fraudulently having information about other people. Identities are also bought and sold and resold over and over again for personal gain such as by drug addicts, who easily sell names for $100 or more to finance their addictions.

One thing that's also notable is that when there is ID theft, it is not necessarily going to be a one-time occurrence. Instead, your identity could be stolen then resold and reused by various different people. Sadly, identity theft is rather easy and cheap. It only takes a technical savvy teenager to figure out how to make this happen. Furthermore, it can be lucrative, and it doesn't have a high degree of risk, because it is not easy to track. It is also very difficult to prosecute because identity theft will often cross state and international lines, requiring the cooperation between different police department and law enforcement agencies.

A number of well-known businesses have had their information compromised, hacked, lost, or stolen; this includes businesses that most of us have worked with for many years. It happens to the biggest and the best. These types of things are happening on a daily occasion, and there are tens of millions of records that are being compromised either in single or ongoing occurrences.

Identity theft can happen to anyone. How does it happen? First, it can be from a sophisticated internet hacking program or it could be as easy as simple thievery. Lost or stolen laptops are a good source of information. In addition, PDAs, cell phones, and BlackBerrys have an abundance of useful personal information.

The next time you place an order over the telephone for something, for instance with the QVC or Home Shopping Network, consider that the order taker could take your credit card number, copy it for personal use, and run up thousands of dollars of bills before you know it. Furthermore, mail could be compromised, thieves can write down your check routing numbers, or it could even be the pizza delivery person. You give him a credit card to pay for your pizza; he takes that information, and sells it to his buddy before he even makes it back to the shop. The use of credit cards has become so common and so expected that many of us don't think about how vulnerable we make ourselves when we use credit cards in unsecured ways.

Many of us think that there are certain limitations on victim liability but it is really not unconditional. For example, some credit cards advertise that cardholders are only liable for the first $50. Some estimates indicate $54 billion is lost annually with individual businesses losing between $50,000 and $100,000 a year due to identity theft. In terms of the cost to the victim, it could cost you up to $2,000 if your privacy has been compromised just to resolve that particular crime. Then, of course, we all pay an aggregate cost. We all pay through higher prices because of the losses that are happening in the business world, which are estimated to be up to $2 trillion. That could be $300 to $600 annually in increased costs of goods that we're paying when we purchase things. Furthermore, there is an ongoing increase. In the past years, there has been a 10 to 12% surge in identity theft over previous years as people continue to automate data, conduct on line banking, pay bills electronically, and activities of that nature.

The unfortunate victim of ID theft is going to spend an average of three months just trying to undo the damage. It can take up to 18 months to unravel the path and figure out who, what, when, and how. You can spend hundreds of hours that none of us have in our busy lives just trying to sort through the issue, and then, once it has been resolved, there are lingering effects. You could see increases in your insurance rates; you could have difficulty getting credit; you could have difficulty buying a car; credit cards sometimes get canceled.

Data is stored in different ways; however, it all comes together, and everything from our driver's licenses to our college history, health insurance plans, registration, phone numbers, etc. all make us very vulnerable. In some cases there could be a system weakness, in others a staffing weakness, or in others, a paper trail. The list really just goes on and on in terms of the vulnerabilities. Most of us are familiar with identity theft in terms of credit cards; however, there are also various other ways that identity theft can impact us on a personal level.

Several months ago I called my cell phone carrier to make a change in my account, and I was pleased to find out that they did take additional steps to verify my identity. They asked me a series of three questions. What was very surprising to me was that they knew what car I drove 20 years ago, they knew the addresses I lived at since I was a teenager, and they knew other personal information that I had never given them. They used this information to verify my identity, but I thought it was quite surprising that they knew all of this without me ever having provided them with this information. This is just one example of the ways that personal information is shared between businesses.

Nonfinancial Types of Identity Theft

Identity theft can be financial, as we have discussed, where it impacts the economics of an individual. It can also be nonfinancial: having to do with driver's licenses, the use of Social Security numbers, medical information, or even character types of identity frauds.

The first form of nonfinancial identity theft is driver's licenses. Driver's licenses are used so very often. They are our primary source of identification when we're doing just about anything, whether it be traveling, writing a check, or even when you using credit cards to show your identity. If someone steals your driver's license, and then gets a speeding ticket or a DUI, they could be booked as a criminal using your driver's license. There was a recent case in Florida where a woman was indicted on federal charges that had to do with a fraudulent driver's license that she used to withdraw more than $13,000 from the victim's bank account, started credit cards with five different stores, and then charged tens of thousands of dollars on those cards. She did all of this with just a driver's license. A driver's license can be used in a number of different ways to the peril of that person who has had it compromised.

The next form of nonfinancial identity theft is Social Security numbers. Again, we use Social Security numbers relatively often. When you go to a medical office, they ask you for your Social Security number. A lot of times they say they need it to bill your medical insurance, but that's not true. You should really be very careful about when you give out a Social Security number, because if it is compromised, it can be used in a number of different ways. It could be used to file a tax return to steal the refund. It could be used to get a job. Again, like before, it could be used to be open new credit cards. According to the FBI, terrorists have used identity theft as well as Social Security number fraud to enable them to obtain employment and gain access to secure locations. Unfortunately, Social Security numbers, driver's licenses, and bank and credit cards can all be used by terrorists, which is just another example of how identity theft can be very threatening and devastating.

The third form of nonfinancial identity theft is medical ID theft and it is more common than we might believe. Uninsured friends or family members, sometimes from other countries, may masquerade as the covered party to obtain needed medical care. Some of you might have encountered this as audiologists. A hearing impaired person with no coverage might pretend to be a family member and use the family member's medical insurance to get a hearing test and possibly to receive hearing aid benefits. You may have been aware of it, or it may have happened and you never knew about it because the family member didn't complain.

This type of identity theft raises the costs to insurance companies, and that sends up a red flag to us. It can also happen without the insured party's knowledge or consent. If a copy of the medical card is stolen, perhaps by a worker, a janitor, through a stolen wallet, etc., then someone can use that medical ID card to obtain any number of medical services from routine care to surgical care. This really only becomes apparent when the real insured person starts to receive bills or uncovers discrepancies in his or her medical files. A lot of damage can be done by the time that the person whose cerds were stolen becomes aware of it.

Medical ID theft can be difficult to resolve. Victims have limited rights, and this could wreak havoc with their medical and financial lives. The theft could involve anything from medications to false claims.

The ironic part of this is that because of well-intentioned legislation that goes awry, the person who fraudulently steals the medical identity actually has HIPAA protections. This means that if your medical information has been compromised, you will have difficulty even looking at your own medical file because it has somebody else's medical information in it, and they're entitled to privacy. Therefore, you do not have the opportunity to see what is in your records that shouldn't be there. Imagine how difficult it would be to try to get to the bottom of identity theft as a victim if you don't have access to your information. It happens more often than we think it does. You would expect criminals, crime rings to be the culprits in medical ID fraud; however, other hospital employees, including physicians, nurses, and cleaning crews, have all been caught selling medical information or using it inappropriately.

In summary, medical ID theft can result in people getting the wrong medical treatment or another person's medical bills. The health insurance plan could be exhausted for the victim because the other person's bills met the limits of the policy. It could render the identity victim uninsurable because his or her medical record has information relating to the other party who could have been very sick. It could cause you to fail physical exams for employment. This list of negative consequences goes on and on.

The next type of identity theft, character and criminal ID theft, is often committed by a friend or a family member trying to get their way out of a financial jam. In this case, the person literally becomes you. They show up as you, they can impersonate you in any particular situation, including situations with the law. Any time someone uses your name or personal ID when they're being arrested or investigated, it creates another serious threat of deception. It can put you into a very compromised position in which it could keep you from getting a job, could get you fired, could get you arrested, cost you money and bond while you're trying to figure out what to do, and again, you could have a criminal record as a result. If the person actually goes all the way to court and says that they are you, it is going to be very difficult to prove real identities.

Financial Identity Theft

Financial identity theft is a common form of ID theft. Financial identity theft is when someone steals another person's information, uses it to set up new lines of credit, and buys high-ticket items or services in that person's name. It often takes awhile before the victim becomes aware this has happened, because the thief usually changes the billing address so it could be 30, 60, or 90 days before there are any signs that something is wrong. They will max out the lines of credit, have a lot of unpaid bills that go to collections, and eventually, these bills work their way back to the victim. Before long, the victim has a very poor credit rating and there can be lawsuits from the creditors. This is why the free credit report is so beneficial. Accessing the website or going to one of the three agencies that we talked about would be able to alert you that something like this was happening.

One instance of identity theft could follow you and take its toll on your lifestyle, when you go buy a car or a home, apply for a job, insurance, etc. A new breed of criminal wants the personal information that you keep on your customers, suppliers, and employees. Identity thieves are aware that the jackpot is not necessarily in your trash, but in your computer files. That's the most vulnerability lies, in the ability to access large amounts of information through electronic storage.

The Red Flag Rules

The Red Flag Rules are under the regulatory oversight of the Federal Trade Commission, the FTC. As such, businesses need to have a plan in place in writing that describes how customer data is going to be secured as well as an officer on staff who is responsible to implement that plan. Although there is a lot of vulnerability and potential access, we know that we're not going to be able to completely stop it and that's why the FTC is not looking for a perfect system. Instead, it looks for accountability to make sure that you have taken responsible and reasonable steps to protect consumer information.

Specifically, under the FTC Red Flag Rule creditors have to develop a program that covers the prevention, detection, and minimization of damage from identity theft. As discussed before, unless you have a cash-based single transaction practice, you most likely fall under the definition of being a creditor; therefore, you are required to develop these written programs to meet the intention of the Red Flag Rule program.

To develop the Red Flags program written policy for your practice, you need to identify how to prevent and mitigate identity theft, make sure that you have a process in place to review and update your program, and make sure that your staff is trained on it.

Identifying Red Flags

Looking for red flags includes looking for a pattern, practice, or any specific activity that could indicate that there is identity theft in process. To identify such flags, you need to look at the areas of vulnerability within your processes and examine how personally identified information (PII) about a person is going to be accessed. You need to look at both paper and electronic versions, and of course, if there has been previous experience with ID theft, you will need to include that as well as you develop your program.

What are some sample red flags to look for in an audiology practice? The first indication of identity theft often comes from a patient who is uncomfortable with some type of information regarding their financial payments. Often the first sign of trouble is when someone receives an explanation of benefits (EOB) from an insurance company. This goes to the member and the member looks at it and doesn't recognize the services. Similarly, a patient might call you wondering why someone else's bill came to their address or questioning the charges on their bill. This could just be an innocent error, or it could be an indication that this person's identity has been compromised.

Another red flag is a discrepancy in the medical records. Perhaps you have a copy of a patient's medical record that seems inconsistent with your findings. Maybe the age or another physical characteristic of the patient doesn't seem right. Possibly the hearing loss is inconsistent with what you're observing with the patient or with previous results on file.

Another red flag could be when your office tries to verify eligibility and the insurance plan says that the hearing aid benefit has already been used but the member indicates they have never worn or received hearing aids. Furthermore, if the victim does go and get a copy of his or her free annual credit report and sees charges from your company, they're likely to ask you what it is about.

Bill disputes are going to be the most common red flags; however, another red flag is when a patient has a health insurance number but not a valid card. For example, they might have their health plan insurance numbers on a piece of paper instead of having their member ID card that we're usually accustomed to seeing. You may even get an inquiry from a fraud investigator from either the insurance company or possibly even law enforcement. In fact, any of these examples will take on greater importance and certainly higher priority of investigation if the patient has filed a police report regarding identity theft.

Another thing to look for is any type of ID that looks like it might be altered or forged. It's common to look at someone's picture ID and the person doesn't resemble the photo. There may be a difference in hair color, more or less weight, etc. However, we need to at least try to make some reasonable assessment that the person's picture on the driver's license is the person in your clinic. You might want to ask for an additional form of identification if you are uncomfortable with a picture.

Another red flag is when the information on the identification that the patient is presenting you doesn't match the information in your file. This could be a signature card or a recent check on an application that looks like it has been altered.

How do you detect red flags? The first thing to do is ask for photo identification. If you are not in the practice of asking for an ID when you check patients in, this is something that you should probably consider. A government-issued ID is always preferable, and the driver's license is of course the most common. Even if the patient doesn't drive, they could still go to the driver's license bureau and get an identification card; otherwise, they could use a passport, military ID, or anything else official with a picture on it. If they don't have a photo ID, then you need to ask for two forms of legitimate non-photo ID, a Social Security card, a Medicare card, for example.

Make sure to document in the chart that an ID was reviewed because if there is ever any question in the future about what practices you took to protect people within your practice, this would be important. Some practices will take a copy of the driver's license and put it in the file. This is appropriate record taking; however, if you're doing that, now you have that piece of private information in your file that you are responsible for protecting. Consider carefully the necessity to keep Social Security numbers and driver's license numbers in files that other people can access. These are not things that we need on a day to day basis in an audiology practice, and again, even health insurance companies are not using Social Security numbers anymore. In the past, the Social Security number was typically a patient's health insurance ID number. However, as part of the HIPAA revolution, health plans had to stop using the Social Security number as a member ID and they had to issue separate IDs. There is no reason for us to keep Social Security numbers or a picture of the person's driver's license on file as long as they show it to you when they first visit.

If you know the patient, there is no need to verify identity. Verifying the person means that you have verified that person is who they say they are, and if you know the person, you have achieved that.

What about people that call into your office or your billing department with questions? How do you know that he or she is in fact the patient, and what steps do you take to ensure that you protect your patients' information? You need to ask questions for some type of verification. For example, you can ask for the phone number, birthday, zip code, etc. You can ask for anything that you have in your system that the person on the phone can validate as proof that they are the patient in question. Even after the caller verifies their identity with your questions, you should still be very careful about what information you give out.

If some calls in to your office to reschedule an appointment, for example, you don't have to go through the verification process, but billing questions in particular may be red flags. For example, if someone calls with a question about their bill and states, "I thought I put it on this credit card, but I lost that card, so can you give me the credit card number that I billed this particular product or service for?" You should not be giving that information. You can take credit card information, but you can't give it out; that would be a suspicious request.

Sometimes patients ask you why you need to see their ID. You need to explain to them that there are federal mandates that are in place for patient protection, and you are trying to minimize their vulnerability to identity theft. Sometimes they will say they don't have any ID, and if they don't have any ID at all, then that's a judgment call. You are not required to refuse care, but you have to show that you asked for ID and acted responsibly. Depending on the extent and the scope of services that you would be providing to the person that doesn't have the ID, that's a judgment call of whether you would enforce needing ID. For example, if they're going to be having a free hearing screening and don't have ID on them, there's really no harm because no money is required. No credit card information is necessary and you will not be billing any insurance companies, so there's very little risk at seeing a person for a screening if they do not have ID. However, if a patient doesn't have ID and you are going to be doing a series of procedures on them and billing insurance, that's something that you might want to think about a little bit more carefully as you move forward.

You need to build into your policy your system of preventing and identifying risks associated with ID theft and include the steps that you will take to minimize the damage if in fact you suspect or confirm that fraud has happened. This is going to include alerting the individual person that has been victimized as well as the appropriate legal authority. You need to do any and everything that you can to prevent additional harm to the person that's been victimized, such as correcting billing information.

We need to ensure that we create and nurture a culture of patient security in our practices. This is important not just because of the Red Flag Rules but also because of HIPAA. It is part of the confidentiality aspect that we all respect and have in place in our practices. In addition to a culture of security for our patients, we also need to create that culture within our employment settings. You should be very sensitive to PII, such as Social Security numbers, driver's license numbers, and medical IDs. In fact, they should be protected just like they were loose cash. As you've heard today, the loss of PII could be much more devastating than the loss of cash. Cash can be replaced, people's identities cannot.

Anyone that has access to PII in your office needs to be trained on this information. The training has to take place annually, along with HIPAA training, fraud training, confidentiality training, and other mandatory compliance trainings. Your office staff needs to understand the sensitivity of PII, why it needs to be protected, and that there are serious legal consequences for not doing it. For instance, you could be subject to federal regulation, which might mean being fined or have criminal action taken against you. Not to mention, if a patient found you had been negligent in the way that you managed PII, then they could sue for civil damages.

Prevention and Mitigation

How do you minimize the damages that result because of ID theft? You have to monitor accounts and look for red flags. You have to actively have a process in place where you identify that ID theft has occurred and alert the patient when that happens. If you think PII has been compromised, you need to change computer passwords, change locks, add other security devices to block intruders from future efforts, and notify law enforcement. Do not send your patient to collections if you know they have been victimized. You would need to check with your lawyer or another expert on the topic for advice, but you are probably going to have to write off a breach account in which identity theft occurred, because you are going to have a lot of difficulty trying to collect that money.

To comply with HIPAA, you like already have a privacy process to secure your data. Identity theft prevention is something that should stack very nicely on top of any other type of security measures that you have. That being said, identity theft is an everyday occurrence. The more you work with identification and person information and become comfortable with it, the more you might become insensitive to the fact that you are dealing with information that is vulnerable to intruders. Data security plays an essential role in keeping information from falling into the wrong hands. Being sensitive to privacy, security, and confidentiality requires a lot of diligence in terms of the safeguards. You need to have physical safeguards, which means locks on the appropriate files. You cannot leave unsecured data or files laying around the office for unsupervised employees, the cleaning company, a utility person, the landlord, or anyone else to see. You need to be sensitive to turn off the computers when you leave for the weekend and use strong case sensitive passwords so that they are not easily hacked.

In your office, you need to protect the files and information that you have legitimate business reasons to keep and dispose of what you no longer need. Anything that's protected or sensitive has to be shredded or disposed of in a secure manner. You can't throw old charts or other information out into the trash that people could rummage through and use for their own purposes.

Unfortunately, even if you take all of the physical safeguards and appropriate security measures, thieves are resourceful and have ways to steal and use information. Identity theft is going to affect your bottom line because of the people who run up bills with no intention of paying them. In addition to accounts receivable that you cannot collect on, as consumers, we all ultimately pay the bill for uncollected monies that are due and passed on to us in taxes, service charges, etc.

In summary, identity theft poses vulnerabilities and responsibilities to us as audiologists, as practice owners and as individuals. In addition to the federal regulations discussed, there may be state laws in your state that you should be familiar with. Also, as a guide, the American Academy of Audiology offers a Red Flags manual on their website, www.audiology.org. This is the same guide that HearUSA used to develop the plan for the Red Flag Rule. The fill-in-the-blank, 70-page, how-to manual can be ordered for $65 through the online store. It is a great starting point if you don't already have a Red Flag program in place or if you want to make sure your existing program is appropriate.

Editor's Note: On May 28th, 2010, the FTC announced that they delayed enforcement of the Red Flags Rules until December 31, 2010. For more information, please visit: https://www.ftc.gov/opa/2010/05/redflags.shtm