The term "identity theft" is usually associated with criminals seeking to steal personal information for financial gain. A subset of identity theft crimes is medical identity theft, in which a criminal uses another person's identifying data to gain access to healthcare services. In response to the growing problem of medical identity theft, the Federal Trade Commission issued a set of "Red Flag Rules" that would require hospitals and other healthcare providers to create written identity theft prevention procedures and identify the "red flags" of potential medical identity theft crimes.
Examples of Red Flags
Since medical professionals handle sensitive patient data such as addresses, credit card numbers, Social Security numbers and treatment records, they must exercise extreme caution in how they handle this information. Some examples of red flags for medical identity theft include alerts from credit reporting agencies, inconsistencies in personal documentation and identifying information that looks like it might be forged or used improperly. For instance, a potential medical identity theft might involve a criminal using a victim's driver's license or Social Security number to obtain a prescription.
Red Flag Rules Compliance
A healthcare provider must follow the Red Flag Rules if it can be classified as a creditor. The Red Flag Rules define a “creditor” as any business that routinely offers to defer payments for goods or services or arranges for a line of credit for its customers. The line of credit can be from the provider or through a third party. Since many healthcare providers let patients establish payment plans after they have completed their services, these providers qualify as creditors under the rules.
Identifying Red Flags
Healthcare providers that are required to meet the Red Flag Rules must have a procedure in place to identify potential red flags. These procedures include examining identity documents, recording inconsistencies between physical examinations and medical records, and tracking instances of inconsistent personal information. An example would be a patient who does not have an appendectomy scar even though his medical records show that he underwent an appendectomy several years ago. Such inconsistencies should be considered a red flag.
Prevention and Mitigation
Healthcare providers must also have a written policy for preventing and mitigating medical identity theft to comply with the Red Flag Rules. These policies must include the procedures for teaching healthcare workers how to handle instances of potential identity theft. For instance, the policy might include preventative measures such as requesting at least two forms of identifying documents as well as verifying all billing and insurance information. Mitigating measures should include correcting the identity theft victim's medical information to reflect accurate data, including treatments received and billing information.