Red Flag Rule: What are the Obligations for a Health Care Provider Covered by the Red Flag Rule as a Creditor?
If a health care provider falls under the Red Flag Rule as a creditor, the provider must develop and implement a written identity theft prevention program. A key element of the program is the duty to mitigate identity theft.
Basic Organizational Requirements
A health care provider that qualifies as a creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program. The purpose of the program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. A large hospital will need a more robust program than a two-doctor office.
What if a creditor does not maintain covered accounts or is not sure if it does? The rule requires a periodic determination as to whether it offers or maintains covered accounts. The required method calls for a risk assessment to make the determination, taking into consideration:
1. The methods it provides to open its accounts;
2. The methods it provides to access its accounts; and
3. Its previous experiences with identity theft.
For those creditors required to have an Identity Theft Prevention Program, there are four required elements. The program must include reasonable policies and procedures to:
1. Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program;
2. Detect Red Flags that have been incorporated into its program;
3. Respond appropriately to any Red Flags that are detected;
4. Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.
There are also four elements for the administration of the Identity Theft Prevention Program. Each creditor required to have a program must:
1. Obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors;
2. Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program;
3. Train staff, as necessary, to effectively implement the program;
4. Exercise appropriate and effective oversight of service provider arrangements.
Red Flags and Responses for Health Care Providers
The rule requires a creditor with an Identity Theft Prevention Program to consider the official federal agency Guidelines issued as an appendix to the Red Flag regulations. The Guidelines must be included in a written Red Flag identity theft program as “appropriate.” A further Supplement to the Guidelines lists illustrative Red Flags. The Guidelines and the Supplement are reproduced at the end of this document for reference. (See Appendix 1.)
All of this material has some relevance to health care providers, although much of it is more applicable to a financial institution or credit card issuer. The advice about paying attention to an institution’s own experience, to notices or alerts about identity theft, and to suspicious documents is relevant to all. It is also true that health records – which often contain credit card numbers, Social Security Numbers, patients’ home address, and financial information – can be rich source material for financial identity thieves. Therefore, attention to the possibility of financial identity theft should be a focus for health care providers just as much as for credit card issuers and merchants.
The purpose here is to highlight identity theft matters specific to health care providers and to medical identity theft. The World Privacy Forum published the first report identifying medical identity theft as a significant national problem. See MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You (May 2006).  The report offers this definition of medical identity theft:
Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity – such as insurance information or Social Security Number – without the victim’s knowledge or consent to obtain medical services or goods, or when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.
Based on the findings in that report and subsequent work, the World Privacy Forum offers suggestions for Red Flags that a health care provider should include in any Identity Theft Prevention Program.  The Red Flags contained in the official guidelines that pertain to suspicious documents, suspicious personal information, unusual activity, and notices from victims and others all have some relevance for health care providers.
The following annotated list of Red Flags is geared specifically to health care providers and is offered as a focused addition to the official guidelines.
• A complaint or question from a patient based on the patient’s receipt of:
o a bill for another individual
o a bill for a product or service that the patient denies receiving
o a bill from a health care provider that the patient never patronized
o an Explanation of Benefits or other notice for health services never received.
The World Privacy Forum Medical Identity Theft report (page 32 and 35) shows how an unexpected bill or notice of benefits can be one way that a patient can learn that she has been a victim of medical identity theft. “Explanations of Benefits” or EOBs are potentially important tools for patients and providers. For example, hotline information to report possible fraudulent or suspicious activity can be included on an EOB.
• Records showing medical treatment that is inconsistent with a physical examination or medical history as reported by the patient.
In particular, records that show substantial discrepancies in age, race, and other physical descriptions may be evidence of medical identity theft. The World Privacy Forum Medical Identity Theft report (page 33) illustrates how an incorrect blood type was evidence that the patient was a victim of medical identity theft.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
The World Privacy Forum Medical Identity Theft report (page 31) shows how a collection notice can be one way that a patient can learn that she has been a victim of medical identity theft.
• A patient or insurance company report that coverage for legitimate hospital stays are being denied because insurance benefits have been depleted, or that a lifetime cap has been reached.
The World Privacy Forum Medical Identity Theft report (page 34) illustrates how members of a family can be victimized by “looping”, where a thief uses one family member’s benefits and then turns to the next family member when the first victim’s benefits have run out.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
The World Privacy Forum Medical Identity Theft report (page 32) shows how an entry in a credit report can be one way that a patient can learn that she has been a victim of medical identity theft.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
Although financial identity theft differs significantly from medical identity theft, a victim of financial identity theft may be more likely to also be a victim of medical identity theft. Victims of financial identity theft may have filed police reports about their case, and these need to be taken into account.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
A medical identity thief may succeed by obtaining the medical insurance number and other information about the victim. The absence of an actual insurance card is evidence suggesting that the person being treated may not be the actual insured. Note: This particular Red Flag has to be applied with caution because there are other reasons a patient may not have her insurance card.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.
Not all forms of medical identity theft are the result of an individual thief presenting for treatment. The World Privacy Forum Medical Identity Theft report (page 33) illustrates how fraudulent billing by a physician can result in false information in a health record that may affect the treatment of patients. In some cases, clerks, nurses and other hospital employees have exploited their legitimate access to health files to use patients’ identity and health information for medical identity theft. 
One of the important elements of an Identity Theft Prevention Program is the duty to mitigate identity theft. 16 C.F.R. § 681.2(d)(2)(iii). In general, the health care industry has not paid sufficient attention to helping individual victims of medical identity theft. The World Privacy Forum Medical Identity Theft report (beginning on page 40) discusses the problems victims can have when they seek to correct health records and otherwise recover from medical identity theft. The report identified these challenges:
• Lack of enforceable rights to correct medical records in all instances.
• Lack of a government agency dedicated to help victims of medical identity theft.
• Lack of enforceable rights to delete misinformation from medical records.
• Lack of ability in most cases to find all instances of medical records.
• Lack of information resources about the unique needs of medical identity theft victims.
The federal health privacy rules issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) do not mention medical identity theft, and the rights provided to patients by the HIPAA health privacy rule are not sufficient to help all patients who are victims. The World Privacy Forum offers suggestions to victims in using existing HIPAA and other remedies. See Access, Amendment, and Accounting of Disclosures: FAQs for Medical ID Theft Victims at <http://www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html>. For more on the HIPAA health privacy rule, see <http://www.hhs.gov/ocr/hipaa>. For the World Privacy Forum’s Patient’s Guide to HIPAA, see <http://www.worldprivacyforum.org/hipaa/index.html>.
The Red Flag rules impose a separate and independent duty on health care providers subject to the regulation to help victims mitigate the consequences of medical identity theft. Health care providers subject to the rules need to go beyond the provisions in HIPAA to assist victims. For several years, the World Privacy Forum has urged the health care community to do a better job of addressing this issue.
Medical identity theft isn’t something that happens only to patients. Health care providers need to understand that they are victims of medical identity theft just as much as patients and insurers. Services provided to thieves will not be covered by insurance, and providers can lose revenues or have unreimbursed expenses. The cost to a provider of cleaning up records created or changed because of medical identity theft can be significant, as can legal liabilities associated with incorrect records.
Best Practices for Responding to Medical Identity Theft
The World Privacy Forum has been researching and working in the area of medical identity theft since 2005. Over time, several key best practices have emerged. The World Privacy Forum published specific ideas regarding these best practices. See Responses to Medical Identity Theft: Eight Best Practices for Helping Victims of Medical Identity Theft at <http://www.worldprivacyforum.org/medicalidtheftresponses.html>. Not all of the recommended best practices can be implemented by health care providers on their own. Some require national, legislative, or regulatory attention. Nevertheless, these best practices describe actions that can be implemented by most health care providers.
Best practices include:
National level procedures
There is a need for a national level set of procedures to standardize how providers and insurers should handle medical identity theft. The procedures should come from a consensus process that includes health information management professionals, patient representatives, consumer groups, insurers, privacy groups, and others. The standards need to address how to help victims recover from this crime.
There is a need for uniform but appropriately flexible answers to these questions:
o What do we do when a patient claims fraud is in their files?
o What do we do when a patient says the bills are for services she did not receive?
o What do we do for patients and other impacted victims when we uncover a fraudulent operation?
o When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
o What do we do when a provider has altered the patient records? o How do we handle police reports and requests for investigation from victims?
The answers to these questions need to consider not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially. 
Red Flag alerts
Red Flag alerts in the financial sector context make financial institutions affirmatively react to the potential presence of fraud in order to protect consumers and themselves. A Red Flag alert in this context is any mechanism or tool that makes all relevant employees aware that there may be a problem. In some cases, the alert may be requested by the customer. Financial sector types of “Red Flag alerts” have applicability to the health care sector and medical identity theft.
In the medical identity theft context, a “Red Flag alert” could be placed in a victim’s health care records to warn providers, insurers, and consumers of potential fraudulent activity in the past or present. This could include the ability to flag a file on paper or electronically for the presence of Red Flag indicators. The health care sector needs to create specific and thoughtful Red Flag alert guidelines, procedures, and tools for use in the medical identity theft context.
It is not unusual for some victims of medical identity theft to be told they cannot completely delete fraudulent information from one or more segments of their health care files. These victims are good candidates for a Red Flag alert or notice in their records that would highlight the potential presence of incorrect information in the patient file.
John or Jane Doe file extraction
Health information managers may be familiar with this concept already. The basic concept is that if fraud or medical identity theft can be substantiated, the victim’s file is purged of all information that was entered as a result of the fraudulent activity, and is left with a brief cross-reference and explanation of the deletion.
In cases of medical identity theft, fraudulent information may sometimes be added to a pre-existing health file. In other cases, the contents of an entire health file may refer only to the thief’s health conditions, but under the victim’s name and other identifying information. In either case, the fraudulent activity has the potential to introduce errors into the file of the victim. Many times the errors entered into a victim’s file resulting from activities of a medical identity thief can be medically significant. This is one of the core harms of medical identity theft.
In a John or Jane Doe file extraction, if the thief is an unknown individual, the fraudulent information is completely removed from the victim’s file and held separately so there is no danger of mistreatment due to factual error in the file. That separate file is the Jane or John Doe file. The victim’s file and the extracted file are then cross-referenced, allowing for a retraceable data trail for any audits. If the thief is a known individual, the victim’s file can undergo the same kind of data extraction. The only difference is that the provider will have a name to file the purged file information under.
Dedicated, trained personnel available
Dedicated personnel who are trained to respond to this crime should be available at each facility. Small providers can have dedicated regional personnel to help. It is in the providers’ or insurers’ best interest to resolve this crime, and it is in the victims’ best interest to be able to actually talk to a person about what has happened. A designated person trained in the complexities of medical identity theft should be on hand to help both the victim and the institution.
Focus on the right approach: Insider, not just outsider
The preponderance of medical identity theft occurs through insider methods that can be difficult for providers to detect, even after the fact. Even when internal file browser controls and other controls are in place, unless there are safeguards with extensive checks and balances, bad actors on the inside of institutions can commit this crime on a grand scale. For example, in the Cleveland Clinic/Machado case, there were existing controls on downloads of files. The criminal still was able to exceed her download limit regularly, and she sold in excess of 1,100 patient files. 
Unsecured and unencrypted patient information on laptops, thumb drives, and other portable data devices can also pose significant risks, some of them unintentional, such as when workers legitimately take home devices with patient information, and then lose or misplace the devices.
Some institutions check or scan and sometimes store patient IDs as a primary solution to the risk of medical identity theft. While examining patient IDs may help with the one-to-two person and familial types of medical identity theft, the research does not support a conclusion that these types of medical identity theft represent most of the problem. It is therefore important for providers to take steps that have the potential to identify all types of medical identity theft. Checking patient IDs will not stop insiders, and this needs to be taken into careful consideration by stakeholders. ID checks alone are not a sufficient response to medical identity theft.
Some providers have used the excuse of medical identity theft to institute intrusive identity check procedures, for example, biometrics collection or digital scans of government-issued IDs. It is our observation that these additional data collections increase risk for data breach, and also increase data risk for insider use. (Please see the heading “Caution about checking and storing patient identification documents and biometrics” in this document for a more detailed discussion of this.)
Risk assessments specifically for medical identity theft
Most health care institutions already have security risk assessments in place. Risk assessments need to be expanded to consider medical identity theft scenarios. A complete assessment should evaluate outsider threats, but it should also have a strong focus on the insider threat scenario as well.
Insider threat scenarios can include ascertaining the risk factors for large datasets containing patient identity documents, such as scans of government IDs or biometrics; risks in collections of patient information stored on laptops or other portable devices; and access control and oversight of access control. A risk assessment that evaluates the level of segregation of patient health data from financial data can be helpful to the provider in determining risk for identity theft.
Training materials and education for the health care sector
Many individuals and institutions working in the health care sector are not yet aware of medical identity theft. Health care sector leaders need to begin health care sector-focused education focused on increasing awareness of the crime, its operations, and how it impacts victims. Ideally, an education plan would be able to also discuss a national set of standards for dealing with the aftermath of medical identity theft with the purpose of helping victims. Again, many materials have a focus on the provider, not on what needs to be done for mitigation of the problems that individual victims have.
Provider education and training should also focus on increasing awareness of the need for provider laptops, desktops, and other computing devices to have security features, and on increasing education on best practices in the protection of patient information. This goes beyond the Red Flag rules per se, however, it is a best practice and a prudent step for providers.
Education for patients and victims
Providers and other stakeholders in the health care sector need to begin patient and victim education regarding medical identity theft. The education should focus on increasing:
- Awareness of the crime
- Awareness of the benefits of requesting a full copy of the health
care files from all providers proactively
- Awareness of the need to guard insurance and Medicare/ Medicaid card numbers as carefully as Social Security Numbers
- Awareness of the need to proactively request an annual listing of all benefits paid by insurers
- Awareness of the need to educate data breach and financial identity theft victims about the potential for medical identity theft variations of the crime.
- Patient education and training on how to handle their health and insurance records securely, and on increasing awareness of the need for laptops, desktops, and other computing devices they are using that contain their sensitive health or financial information to have security features.
Some of these best practices discussed above are now part of the new Red Flag rules, others are part of a canon of best practices regarding medical identity theft. The World Privacy Forum specifically calls attention to the best practice of having dedicated, trained personnel available to help victims.
Determining that a patient has been a victim of medical identity theft can be a difficult task. Once it has been established that a health record contains information resulting from the medical identity theft, sorting through that health record to isolate the information that is actually about the patient from the information that is about the thief is harder still.
Health care providers are understandably reluctant to change or remove information from a health record. Yet that will sometimes be the proper remedy. It will take trained personnel to assist the victim and the provider (who may be a different type of victim) sort out the records. Another of the World Privacy Forum’s best practices – John or Jane Doe file extraction – may be the proper technique.
Caution about Checking and Storing Patient Identification Documents and Biometrics
One of the most significant misunderstandings to arise following the release of the World Privacy Forum’s 2006 report on medical identity theft is the idea that simply checking patient identification (such as a drivers’ license) will effectively mitigate medical identity theft. Regrettably, this solution is neither as useful nor as simple it might appear on the surface.
Identity proofing and the range of issues attached to it are exceptionally complex. Identity management and identity proofing are the subject of significant research and scientific inquiry as well as policy debate at all levels.  The point is that it is a serious topic, and identity proofing should not be entered into lightly. By simply scanning and storing a patient driver’s license, a provider may create as many problems as it solves.
Just because customer identity proofing is commonplace in the financial sector does not mean that it translates perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and, in many cases, different procedures when it comes to reviewing and managing customer identification documents. 
Patient identity proofing, particularly in some implementations, can expose patients to increased risk of medical and other forms of identity theft. It can also expose actual victims of medical identity theft to significant problems when they try to demonstrate their innocence. Depending on the implementation, it can potentially increase the liability of a health care provider.
For example, when a patient is asked for a driver’s license when checking in to a hospital, the license itself may be copied or scanned and added to the patient’s file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information previously unavailable. The result can be more identity theft (medical and otherwise).
In some cases, providers collect additional patient biometrics and link that data to the drivers’ license, patient ID and medical chart. Unfortunately, when a criminal ties his or her own biometrics to a fake or stolen ID – including a digitally reconstructed ID from a patient file – it is extremely difficult for the victim of medical identity theft to show that he or she is the real Jane or John Smith. In effect, the fake ID becomes an additional barrier to unraveling the criminal activity.
Patient ID checking and proofing is not a silver bullet. It is actually a potentially significant point of risk for health care providers and should be handled with great care. If that ID data is also allowed to be stored on portable devices, the risks increase if the portable device is not properly managed, controlled, and encrypted. Checking an ID and keeping a copy are two different activities. Checking an ID is much less likely to create additional risks, and it may offer the same benefits as storing a copy.
To summarize mitigation issues, the duty to mitigate the effects of medical identity theft is an important element of any Identity Theft Prevention Program. Health care providers should, among other mitigation techniques contemplated by the Red Flag rules:
• Provide trained and dedicated staff to help medical identity theft victims (including the provider itself) confirm the crime and determine its scope.
• Use John or Jane Doe file extraction techniques when appropriate to segregate records about the patient from records about the medical identity thief.
• Undertake or adapt existing risk assessments specifically for medical identity theft.
Any mitigation plan should have a strong focus on helping all victims of the crime.
 The World Privacy Forum maintains a regularly updated collection of materials and news about medical identity theft, including detailed FAQs, reports, public comments, speeches, news, and other materials. <http://www.worldprivacyforum.org/medicalidentitytheft.html>.
 See, e.g., the Department of Justice criminal actions against Fernando Ferrer and Isis Machado. Machado, who worked at the Cleveland Clinic, accessed and sold patient information to Ferrer, who used the information to file false Medicare claims. Press Release, U.S. Department of Justice, Two Defendants Sentenced in Health Care Fraud, HIPAA, and Identity Theft Conspiracy, (May 7, 2007), (U.S. Attorney’s Office, Southern District of Florida), <http://www.usdoj.gov/usao/fls/PressReleases/070503-01.html>.
 The Red Flag rules do not contemplate situations where a provider becomes a victim of medical identity theft. Because of this report is focused on the Red Flag regulations, this issue has not been discussed in this report. However, we note that individual doctors may also be victims of identity theft, and this can have deleterious effects on consumers and doctors. See for example, Associated Press, Couple accused of bilking $1 million in health care fraud scheme, May 14, 2003.
 See, e.g, National Research Council, Who Goes There? Authentication Through the Lens of Privacy (2003) (National Academies Press), <http://www.nap.edu/openbook.php?record_id=10656&page=R1>.
 See Testimony of the World Privacy Forum on Patient Identity Proofing before the Confidentiality, Privacy & Security Workgroup of the American Health Information Community, Sept. 29, 2006, (Department of Health and Human Services) <http://www.dhhs.gov/healthit/ahic/materials/meeting09/cps/P2-PHR-Dixon.pdf>.
Roadmap: Red Flag and Address Discrepancy Requirements – Suggestions for Health Care Providers: III. What are the Obligations for a Health Care Provider Covered by the Red Flag Rule as a Creditor?