Maintaining healthcare compliance includes being vigilant for warning signs of potential waste, abuse, and fraud due to identity theft. Healthcare red flag rules help your organization protect your patients, staff, and financial security from potential medical identity theft. In this post, we provide a breakdown of red rules in healthcare and what policies, procedures, and training your organization can implement to adhere to these regulations.
What Are Red Rules in Healthcare?
Handling sensitive data like Social Security numbers, insurance coverage or enrollment information, names, or credit card numbers always puts an organization at risk for identity theft. For example, some medical identity thieves take insurance information and make fraudulent claims to Medicare or Medicaid for services or goods. Identity theft can also result in the entry of false data into electronic medical records (EMRs) or the creation of fictitious EMRs in victims’ names.
Specific indications or red flags can tip you off to nefarious activities. The term red flag refers to warning signs of fraud, waste, and abuse due to identity theft and other unlawful acts. The Red Flag Program Clarification Act of 2010, or the Red Flags Rule, mandates that specific healthcare organizations and suppliers establish and follow policies that detect and prevent identity theft. Red rules in healthcare apply to entities that:
- Gather or use credit reports that involve credit transactions
- Make payments to or on behalf of someone when they pledge to repay those funds
- Provide credit transaction information to credit reporting agencies
Red rules in healthcare enable compliance officers and others to spot the red flags that indicate potential wrongdoing, including:
- Documents or protected health information (PHI) with false Social Security numbers, phone numbers, or addresses
- Unusual activity or use of data related to a patient’s account
- Warnings from a credit reporting agency
- Notices from law enforcement, patients, or other victims about possible identity theft
Furthermore, red rules go beyond the Heath Insurance Portability and Accountability Act in protecting the security and privacy of PHI by safeguarding:
- Credit card information
- Insurance claim information
- Social Security numbers and other tax identification numbers
- Staff and service provider background checks
How to Keep Your Organization Compliant with Healthcare Red Flag Rules
Noncompliance with the healthcare red flags rules could result in monetary or civil penalties. For example, in December 2023, the U.S. Department of Health and Human Services settled with Lafourche Medical Group in Louisiana, which had to pay $480,000 for reporting a phishing incident that occurred through an employee email address. This hack affected the PHI of over 34,000 patients.
Therefore, it benefits an organization to implement policies and procedures to protect against medical identity theft. More specifically, these red rules allow individuals to know how to identify and respond to red flags.
Policies and procedures for responding to red flags in healthcare should contain the following elements:
- Determine what red flags could be relevant to your practice, organization, or business
- Establish identification criteria for detecting red flags
- Institute measures for financial transactions, such as identity verification and confirmation of patient contact information
- Assign a staff member whose job is to investigate red flags
- Create a procedure for responding to red flags, including requirements for gathering documents, reporting incidents, and taking appropriate and timely actions
- Have a protocol that enables the compliance officer, compliance team, board of directors, or other leaders to review and approve the organization’s red flag policies
- Review all red flag policies annually, if not more frequently
- Incorporate red flag rules in regular staff training
