HIPAA (Health Insurance Portability and Accountability Act) Red Flags Rule

HIPAA (abbreviation for ‘Health Insurance Portability and Accountability Act’) Red Flags Rule fights against patient identity theft. The HIPAA red flags rule covers all ‘creditors’ (defined as any unit that postpones payments for services on a regular basis, or arranges for extending the credit, or a healthcare provider that is involved in helping patients get credit from some other source, but excluding those healthcare entities that need payment before or at the time of the service as well as a physician who receives credit card payments) and aims at protecting what are referred to as ‘covered accounts’ (defined as the consumer account that allows multiple transactions or payments, including all the accounts that the healthcare organization uses or maintains for the patients are covered accounts). Further, in the interest of patients, the Federal Trade Commission (FTC) came out with a set of regulations on May 1, 2009. This FTC red flags rule is in addition to the HIPAA privacy and security rules and guidelines.

HIPAA (Health Insurance Portability and Accountability Act) Red Flags Rule

The HIPAA Red Flags Rule is aimed at financial institutions and creditors that process and accept third-party payments or insurance or allow or provide payment plans to patients. Adherence and compliance to the HIPAA red flags rule can be achieved through a four step process, as is outlined below.

                                                                                                                                                                    Identify Red Flags of Identity Theft

The first step is to identify and mark out scenarios of potential identity theft that occur in normal business. With this objective, the Red Flag Rule ensures protection of identity theft by requiring healthcare providers to create, detect and follow prevention and management policies pertaining to this. As per this rule, all the billing and payment practices followed by healthcare providers must be reviewed and should surpass the Red Flags Rule. It should also be confirmed if the activities of the organization falls under the two main categories of the rule - ‘creditor’ and ‘covered account’.

Detect Red Flags in Routine Business

Doctors and physicians are advised to examine and thoroughly check atleast three documents that are available on the HIPAA site, (namely [1] identity theft red flags, [2] address discrepancies under the Fair and Accurate Credit Transactions Act of 2003, and [3] fighting fraud with the red flags rule). These documents help in determining their responsibilities in compliance with the red flag rules.

Mitigate and Limit the Damage

On spotting these red flags, it is important to prevent subsequent theft of the information pertaining to patient’s identity, as well as mitigate any further damage. Proper checks and measures should be instituted (including having standard operating procedures, relevant escalation points and effective alternative strategies) to guard against operational and reputation risks.

Raise Awareness in Staff

Finally, staff should be up-to-date with the changing dynamics and risks of identity theft. Training and awareness programmes should therefore be regularly conducted, so as to ensure that all members are updated and informed about the Red Flags rule, and how to handle such situations.