Brett Elliott MD PA Identity Theft Prevention and Detection  Policy Known as the FTC Red Flag Rule

 

Policy  Summary

  In November 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule” and as of December 31, 2010  medical practices are required to comply with this mandate. Specifically, this policy summarizes how Brett Elliott, MD, PA will (1) identify, (2) detect and (3) respond to “red flags.” A “red flag” as defined by this policy includes a pattern, practice, or specific account or record activity that indicates possible identity theft. 

  It is the policy of Brett Elliott, MD, PA that all members of our workforce have been trained by the November 1, 2009 final compliance date on the policies and procedures governing compliance with the Red Flag Rule. It is also the policy of Brett Elliott, MD, PA that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce, and retraining will occur if the rules materially change.

I:   Identify red flags:   In the course of caring for patients, Brett Elliott, MD, PA may encounter inconsistent or suspicious documents, information or activity that may signal identity theft. Brett Elliott, MD, PA identifies the following as potential red flags, and this policy includes procedures describing how to detect and respond to these red flags below:

 

1.      A complaint or question from a patient based on the patient’s receipt of:

· A bill for another individual;

· A bill for a product or service that the patient denies receiving;

· A bill from a health care provider that the patient never patronized; or

· A notice of insurance benefits (or explanation of benefits) for health care services never received.

2.      Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.

3.      A complaint or question from a patient about the receipt of a collection notice from a bill collector.

4.      A patient or health insurer report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.

5.      A complaint or question from a patient about information added to a credit report by a health care provider or health insurer.

6.      A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

7.      A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.

8.      A notice or inquiry from an insurance fraud investigator for a private health insurer or a law enforcement agency.

 

II:   Detect red flags:    Brett Elliott, MD, PA practice staff will be alert for discrepancies in documents and patient information that suggest risk of identity theft or fraud. Brett Elliott, MD, PA will verify patient identity, address and insurance coverage at the time of patient registration/check-in.

 

1.      When a patient presents for an appointment they will be asked for a picture ID and if they have medical insurance an insurance card. If these are unavailable other means of identification will be requested. This will be waived for patients who have visited the practice for the last six months or are otherwise known to staff.

2.      Staff should be alert for the possibility of identity theft in the following situations:

· The photograph on a driver’s license or other photo ID submitted by the  patient does not resemble the patient.

· The patient submits a driver’s license, insurance card, or other identifying information that appears to be altered or forged.

· Information on one form of identification the patient submitted is inconsistent with information on another form of identification or with information already in the practice’s records.

· An address or telephone number is discovered to be suspicious.

· The patient fails to provide reasonable identifying information or documents.

· The patient’s signature does not match a signature in the practice’s records.

III:  Respond to Red Flags:    If an employee detects fraudulent activity or if a patient claims to be a victim of identity theft, Brett Elliott, MD, PA will respond to and investigate the situation. If the fraudulent activity involves protected health information (PHI) covered under the HIPAA security standards, Brett Elliott, MD, PA will also apply its existing HIPAA security policies and procedures to the response. 

If potentially fraudulent activity (a red flag) is detected by an employee of Brett Elliott, MD, PA:

1.      The employee should gather all documentation and report the incident to Brett Elliott, MD, PA who will attempt to determine whether the activity is fraudulent or authentic.

2.      If the activity is determined to be fraudulent, then Brett Elliott, MD, PA should as soon as possible take actins that may include:

· Cancel the transaction;

· Notify appropriate law enforcement;

· Notify the affected patient;

· Notify affected physician(s); and

· Assess impact to practice.

 

If a patient claims to be a victim of identity theft:

1.      The patient should be encouraged to file a police report for identity theft if he/she has not done so already.

2.      The patient should be encouraged to complete th ID Theft Affidavit  developed by the FTC, along with supporting documentation.

3.      Brett Elliott, MD, PA will compare the patient’s documentation with personal information in the practice’s records.

4.      If following investigation, it appears that the patient has been a victim of identity theft, Brett Elliott, MD, PA will promptly consider what further remedial act/notifications may be needed under the circumstances.

5.      The physician will review the affected patient’s medical record to confirm whether documentation was made in the patient’s medical record that resulted in inaccurate information in the record. If inaccuracies due to identity theft exist, a notation should be made in the record to indicate identity theft.

6.      The practice medical records staff will determine whether any other records and/or ancillary service providers are linked to inaccurate information. Any additional files containing information relevant to identity theft will be removed and appropriate action taken. The patient is responsible for contacting ancillary service providers.

7.       If following investigation, it does not appear that the patient has been a victim of identity theft, Brett Elliott, MD, PA will take whatever action it deems appropriate.

***** This page was last updated on 06/06/10  *****