When legislation occurs anyone on the receiving end of it can usually anticipate money going out, not coming in. And at first blush it seemed that the Red Flags Rule would be no different. But there's a sunny side to complying with this Rule, which was supposed to take effect Nov. 1 and was delayed until June 1: There's minimal cost to implementing this rule and the return on this investment could reduce your bad debt.
Nationally hospitals average 5% bad debt or charity, but in these economic times that number is likely growing. One reason that number may be on the upswing is medical identity theft. The Federal Trade Commission estimates that nearly 5% of the nine million Americans who are victims of identity theft will experience some form of medical identity theft, according to their 2007 survey.
That's where the Red Flags Rule comes in. The Rule requires certain businesses and organizations, including hospitals and other healthcare providers, to develop a written program to spot the warning signs — or "red flags" — of identity theft.
"Healthcare providers must develop and implement programs to detect, prevent, and mitigate identity theft and medical fraud," says Randy Berry, CPA, vice president of Columbus Healthcare & Safety Consultant, LLC and author of Red Flag Rule Compliance for Health Care Providers.
This may feel like a HIPAA déjà vu, but it's not.
First the cost of implementing the Red Flag Rules is generally well under $1,000 not $10,000 if training in-house, and depending on the size of the facility it may be in the hundreds, Berry says. That's chump change when you compare it to the hundreds of thousands of dollars it took for most hospitals to comply with HIPAA. Here's a quick look at the potential costs:
Second, the two regulations target different areas of patient information. The Red Flags Rule is designed to protect the patients billing and personal information (e.g., social security number and health insurance identification) while the HIPAA regulation focuses on the privacy and security of patient medical records (e.g., diagnosis information and medical history).
But back to your bottom line, where the Red Flags Rule may help hospitals is with medical identity theft and fraud prevention. Medical identity theft is slightly different than Medicare fraud, though they do intertwine. One definition of medical identity theft is when a patient's Medicare/Medicaid insurance information is stolen and another individual uses this information for their treatment. When the victim of the theft goes to use their benefits, they find them exhausted.
Additionally the patient's medical records may be affected, as they may now contain information pertaining to the identity thief. This could result in incorrect treatment or diagnose. Medicare fraud can cover anything from falsifying bills to creating fake patients. For a more comprehensive look at the distinctions in these categories, read "Medical Identity Theft: The Information Crime that Can Kill You".
Aside from the cost both these crimes cause to your patients, the hospital is also left in the financial-lurch. When the insurance company catches the claim by the identity thief, they can refuse to reimburse the hospital. The hospital loses all the dollars associated with that visit and that increases bad debt. If taken seriously and implemented well, the Red Flags Rule should help healthcare organizations screen out more of these fraudulent activities.