Training, Identifying Discrepancies Are Key in Red Flags Rule

Dom Nicastro , May 6, 2009

When it comes to the Red Flags Rule, the Federal Trade Commission's mandate that creditors establish an identity theft prevention program, an expert says facilities should not sound the sirens.

"Our plan is to train staff to look for red flags and to bring it to the privacy officer's attention," Chris Simons, RHIA, director of UM & HIMS and the privacy officer of Spring Harbor Hospital in Westbrook, ME, tells HealthLeaders Media.

"We certainly don't want registration staff confronting patients or getting in the way of providing medical care when patients need it."

Spring Harbor is ahead of the game. It established its Red Flags Rule program before the FTC's original May 1 deadline. Last week, the regulators pushed compliance back to August 1.

"This is good training any time, so I am fine that we are ahead of the curve," Simons says.

The rule forces any organization considered to be a "creditor" to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. "Creditors," the FTC says, are agencies that regularly extend or renew credit–or arrange for others to do so–and includes all entities that regularly permit deferred payments for goods or services. Simons and Spring Harbor followed the FTC guidelines to a tee. It wrote a policy that included potential red flags, established protocol when a red flag surfaces, and presented the program to its board of directors for approval.

It also rolled out a PowerPoint training presentation that included:

  • Admissions staff
  • Registration staff
  • Patient accounts staff
  • HIM
  • Clinicians
  • IS staff

In the training, the hospital identified potential red flags, such as:

  • Patient presents documents for identification that appear to be altered or forged
  • Patient's photo, identifying characteristics (e.g. ethnicity, sex, age) or signature does not appear to match what is on file
  • Social Security number or other identifier (e.g. insurance policy number or date of birth) is inconsistent with external information sources
  • Address/phone number or other demographic information is inconsistent with other sources of information
  • Medical records show treatment inconsistent with current presentation

Spring Harbor's Red Flags policy also identifies the privacy officer as the point of contact for any staff member who spots a red flag. The privacy officer then notifies the patient if the case was indeed determined as identity theft and acts accordingly to protect the victim.

Spring Harbor's policy also asks registration staff members to request picture IDs or at least two other forms of patient ID.

The key for your facility, just like it as Spring Harbor, is to identify discrepancies and refer to your policy when it happens.

"We focused on this from a patient safety point of view," Simons says. Simons says most facilities should have already had checks in place like these. It's just that now, the FTC has made enforcement formal through a regulation, which is similar to HIPAA through the HITECH Act.

"This is very timely," Simons says. "Every time you turn around, there's a breach."

Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at

Comments are moderated. Please be patient.




FREE e-Newsletters Join the Council Subscribe to HL magazine


100 Winners Circle Suite 300
Brentwood, TN 37027


About | Advertise | Terms of Use | Privacy Policy | Reprints/Permissions | Contact
© HealthLeaders Media 2015 a division of BLR All rights reserved.