Red Flag Rules & Healthcare

by Gerald Hanks - Updated September 26, 2017
Hispanic nurse with patient

The term "identity theft" is usually associated with criminals seeking to steal personal information for financial gain. A subset of identity theft crimes is medical identity theft, in which a criminal uses another person's identifying data to gain access to healthcare services. In response to the growing problem of medical identity theft, the Federal Trade Commission issued a set of "Red Flag Rules" that would require hospitals and other healthcare providers to create written identity theft prevention procedures and identify the "red flags" of potential medical identity theft crimes.

Examples of Red Flags

Since medical professionals handle sensitive patient data such as addresses, credit card numbers, Social Security numbers and treatment records, they must exercise extreme caution in how they handle this information. Some examples of red flags for medical identity theft include alerts from credit reporting agencies, inconsistencies in personal documentation and identifying information that looks like it might be forged or used improperly. For instance, a potential medical identity theft might involve a criminal using a victim's driver's license or Social Security number to obtain a prescription.

Red Flag Rules Compliance

A healthcare provider must follow the Red Flag Rules if it can be classified as a creditor. The Red Flag Rules define a “creditor” as any business that routinely offers to defer payments for goods or services or arranges for a line of credit for its customers. The line of credit can be from the provider or through a third party. Since many healthcare providers let patients establish payment plans after they have completed their services, these providers qualify as creditors under the rules.

Video of the Day

Brought to you by Techwalla
Brought to you by Techwalla

Identifying Red Flags

Healthcare providers that are required to meet the Red Flag Rules must have a procedure in place to identify potential red flags. These procedures include examining identity documents, recording inconsistencies between physical examinations and medical records, and tracking instances of inconsistent personal information. An example would be a patient who does not have an appendectomy scar even though his medical records show that he underwent an appendectomy several years ago. Such inconsistencies should be considered a red flag.

Prevention and Mitigation

Healthcare providers must also have a written policy for preventing and mitigating medical identity theft to comply with the Red Flag Rules. These policies must include the procedures for teaching healthcare workers how to handle instances of potential identity theft. For instance, the policy might include preventative measures such as requesting at least two forms of identifying documents as well as verifying all billing and insurance information. Mitigating measures should include correcting the identity theft victim's medical information to reflect accurate data, including treatments received and billing information.

About the Author

Living in Houston, Gerald Hanks has been a writer since 2008. He has contributed to several special-interest national publications. Before starting his writing career, Gerald was a web programmer and database developer for 12 years.

Photo Credits

  • Jose Luis Pelaez Inc/Blend Images/Getty Images
Cite this Article A tool to create a citation to reference this article Cite this Article