HIPAA (Health Insurance Portability and Accountability Act) Red Flags Rule
HIPAA (abbreviation for
‘Health Insurance Portability and Accountability Act’) Red Flags Rule fights
against patient identity theft. The HIPAA red flags rule covers all ‘creditors’
(defined as any unit that postpones payments for services on a regular basis,
or arranges for extending the credit, or a healthcare provider that is involved
in helping patients get credit from some other source, but excluding those
healthcare entities that need payment before or at the time of the service as
well as a physician who receives credit card payments) and aims at protecting
what are referred to as ‘covered accounts’ (defined as the consumer account
that allows multiple transactions or payments, including all the accounts that
the healthcare organization uses or maintains for the patients are covered
accounts). Further, in the interest of patients, the Federal Trade Commission
(FTC) came out with a set of regulations on May 1, 2009. This FTC red flags
rule is in addition to the HIPAA privacy and security rules and guidelines.
HIPAA
(Health Insurance Portability and Accountability Act) Red Flags Rule
The HIPAA Red Flags
Rule is aimed at financial institutions and creditors that process and accept
third-party payments or insurance or allow or provide payment plans to patients.
Adherence and compliance to the HIPAA red flags rule can be achieved through a
four step process, as is outlined below.
Identify Red Flags of Identity
Theft
The first step is to
identify and mark out scenarios of potential identity theft that occur in
normal business. With this objective, the Red Flag Rule ensures protection of
identity theft by requiring healthcare providers to create, detect and follow
prevention and management policies pertaining to this. As per this rule, all
the billing and payment practices followed by healthcare providers must be
reviewed and should surpass the Red Flags Rule. It should also be confirmed if
the activities of the organization falls under the two main categories of the
rule - ‘creditor’ and ‘covered account’.
Detect Red Flags in Routine
Business
Doctors
and physicians are advised to examine and thoroughly check atleast three
documents that are available on the HIPAA site, (namely [1] identity theft red
flags, [2] address discrepancies under the Fair and Accurate Credit
Transactions Act of 2003, and [3] fighting fraud with the red flags rule).
These documents help in determining their responsibilities in compliance with
the red flag rules.
Mitigate
and Limit the Damage
On
spotting these red flags, it is important to prevent subsequent theft of the
information pertaining to patient’s identity, as well as mitigate any further damage.
Proper checks and measures should be instituted (including having standard
operating procedures, relevant escalation points and effective alternative
strategies) to guard against operational and reputation risks.
Raise Awareness in
Staff
Finally, staff should
be up-to-date with the changing dynamics and risks of identity theft. Training
and awareness programmes should therefore be regularly conducted, so as to
ensure that all members are updated and informed about the Red Flags rule, and
how to handle such situations.
Comments
Post a Comment