Identity Theft Preventionby Scott Einiger, Esq.
The Federal Trade Commission promulgated regulations which require financial institutions to develop and implement a written Identity Theft Prevention Program (by May 1, 2009) in order to detect, prevent and mitigate medical identity theft. The FTC has taken the position that health care providers (physicians, nursing homes, hospitals, etc.) are creditors if they bill patients following appointments rather than at the time of their appointments, and so takes the position that the new rule applies to them. The AMA and the American Academy of Family Physicians have written to the FTC seeking an exemption for physicians from the Identify Theft Program Rule but at this time it does not appear likely that the exclusion will be granted.
Medical identity theft can occur when someone uses a person’s identity, such as their name, insurance information or Social Security number, to obtain medical services or goods without the victim’s knowledge or consent. It also occurs when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.
Under the Government’s new regulations, the Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft so as to enable the health care provider to:
- Identify relevant patterns, practices, and specific forms of activity that are “red flags” for possible identity theft;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure that the Program is updated periodically to reflect changes in risks from identity theft.
Upon development, the Program must be formally authorized and adopted by the entity’s governing body or senior management, and such body or persons are required to provide ongoing administrative oversight of the Program’s implementation, which includes staff training and designation of an oversight employee, audit compliance, and the generation of annual assessment reports.
The new regulations are designed to give physician practices and other health care providers, the opportunity to design and implement a compliance program that is appropriate to their size and complexity, as well as the nature of their operations. Failure to comply could mean administrative penalties of up to $2,500 per violation.