Red Flag Rules – The Next Steps for Physicians

The red flag rules, which require creditors to implement a formal policy for detecting and preventing identity theft, also apply to the healthcare industry. The effective date for the red flag rules has been delayed until August 1, 2009. The red flag rules were authorized under “the 2003 Fair and Accurate Credit Transitions Act, which” covers “entities that regularly extend credit, or defer payment for services.” The FTC claims that physicians are considered creditors under the rules. However, the American Medical Association and several medical organizations are continuing to challenge what they believe is an overly broad legal interpretation. In the meantime, organized medicine and legal experts urge doctors to implement the necessary compliance measures. The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks, and train staff on the new policy.

Physicians should follow these practical tips when developing and implementing their identity theft prevention policies:

• Identify warning signs of potential identity theft that may occur in daily operations. Such red flags may include bills for services not rendered, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.

• Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.

• Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.

• Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.

• Review and update the identity theft prevention policy at least once a year.


© 2009 Parsonage Vandenack Williams LLC

  For more information, contact

How to Identify Red Flags


A healthcare provider’s Identity Theft Prevention Program should identify red flags in four main categories: (1) suspicious documents; (2) suspicious personally identifying information; (3) suspicious activities; and (4) notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. 


All employees who interact with patients must be aware of things to look for in the following areas:


Suspicious documents


  • Has a new patient provided identification documents that look altered or forged? 
  • Is the photograph or physical description on the ID inconsistent with what the patient looks like? 
  • Did the patient provide other documentation inconsistent with what he or she has told an employee – for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere?  


Suspicious personally identifying information


  • If a patient provides information that does not match what an employee has learned from other sources, it may be a red flag of identity theft. 
  • For instance, if the patient provides a home address, birth date, or Social Security number that does not match information on file or from the insurer, this may indicate fraud.


Suspicious activities


  • Is mail returned repeatedly as undeliverable, even though the patient continues to show up for appointments? 
  • Does a patient complain about receiving a bill for a service that he or she didn’t get? 
  • Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? 


Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft


  • Has the provider or an employee received word about identity theft from another source? 
  • All employees must heed warnings from others that identity theft may be ongoing.


Although the above list provides some examples of things to look for to identify red flags, it is not intended to be an exhaustive list.  Instead, employees must continuously be aware of any signs of identity theft relevant to the healthcare provider’s practice and share this information with others involved in the Identity Theft Prevention Program.



 © 2009 Parsonage Vandenack Williams LLC

  For more information, contact