Published 12/1/2008
Marty Krawczyk

Identity theft: Could it happen in your office?

Under new regulations, medical practices must take steps to prevent identity theft

The Federal Trade Commission (FTC) Red Flag Rules, which went into effect on November 1, 2008, are part of the government’s continuing efforts to curtail the rise in identity theft. The Red Flag Rules apply to “creditors”—including physicians—and provide guidance for establishing protocols to detect, prevent, and mitigate identity theft.

Recognizing that physicians and others might need additional time to comply with the specific provision for developing and implementing a written identity theft prevention program, the FTC has granted a 6-month “delay of enforcement”—until May 1, 2009—for this part of the rules only. To avoid penalties for noncompliance, physicians and practice administrators should start developing and implementing such a program now.

Why does this apply to you?
If you regularly extend, renew, or continue credit —that is, you don’t demand immediate payment for medical goods and services—the FTC considers you a creditor. Furthermore, if your patients have accounts with you, and the potential for identify theft exists, you are subject to the Red Flag Rules.

If you ask for credit reports on prospective patients, or if you issue credit or smart cards to patients, you are also subject to the Rules. For example, the Rules require that if you receive a change of address notice from a patient, you cannot issue a new card until you verify the change of address.

What’s the risk?
In a healthcare setting such as a medical practice, a substantial amount of patient financial and medical information is accessible to employees and other physician practices, hospitals, and vendors. Medical identity theft occurs when someone uses another person’s name, insurance information, or Social Security number (SSN) to obtain medical services or goods, or files false insurance claims and falsifies medical records to support those claims.

Identity theft affects everyone and has a significant impact on patient care and safety. A catastrophic event could result if the physician bases treatment on falsely provided medical information. From an economic perspective, the cost of medical identity theft is huge and growing.

What is an identity theft prevention program?
Although all identity theft prevention programs share certain characteristics (such as being written documents), they vary in size and complexity depending on your practice, the scope of its activities, and the potential risk for identity theft. For example, a solo practitioner in a rural area who knows all of the residents of the community by sight would have a different program than a 50-physician group practice in a large, urban setting.

If you already have policies and procedures in place to comply with the Health Information Portability and Accountability Act, you can include them as part of your pro­gram, in addition to any strategies you currently use to verify patient identity. The World Privacy Forum (www.worldprivacyforum.org) has developed samples and information to help healthcare providers understand and develop an identity theft prevention program. Be sure to have legal counsel review the written document to ensure that you fully comply with all provisions of the Red Flag Rules, including the following elements:

  • Assessing risk factors
  • Identifying “Red Flag” sources
  • Establishing procedures for detecting red flags
  • Training staff
  • Updating the program
  • Preventing and mitigating identity theft
  • Administering the program

Assessing risk factors
The financial impact of identity theft can be substantial. A patient with stolen photo identification and insurance cards may not be detected until treatment is completed and the real insured patient is billed. For the financial stability of your practice, you and your practice executives should carefully review your procedures and processes to identify points in the patient/practice encounter where you can recognize identity theft and take appropriate action.

Your identity theft prevention program should include measures for protecting patient accounts and financial information. You should identify the “red flags” that alert you to breaches in security. Practices that use electronic medical records (EMR) systems can limit access to sensitive financial information by implementing security parameters such as password protection and audit trails. Securing access to financial information found in paper charts is much more challenging.

Do not forget to assess the risk to your practice as well. Include red flags that can indicate potential theft of practice-related information, including bank account numbers, signatures, tax identification numbers, and the SSNs of physicians and staff.

Identifying red flag sources
If you have had prior experience with patient- or practice-related identity theft, you’ve probably examined how it happened, what could have alerted the staff to it, and what should be done to avoid a recurrence. This information can be the starting point for your identity theft prevention program under the new rules.

First, identify points where the potential for false identity can occur, beginning with the new patient intake process. Potential red flags that warrant action by staff include the following:

  • Do the patient’s identification documents appear altered or forged?
  • Are there inconsistencies between verbal and written (documented) information?
  • Is the patient’s SSN listed on the Social Security Administration’s Death Master Registry?

The guidelines also call for monitoring the security of existing accounts, such as your patient financial records. For example, if a patient notifies you of a possible identity theft, you should have policies and procedures in place to note this in the chart, EMR, and billing records.

Other possible sources for red flag activity include the failure to enforce password sharing rules, and procedures for releasing medical records to the patient, hospitals, and other physicians.

Establishing procedures
Once you’ve identified potential red flags, you should document and establish procedures for detecting them. For example, in your new patient intake process, you may develop a checklist that prompts staff to ask for and provides guidelines for examining identifying information such as a driver’s license, identification card, passport, or other government-issued photo identification.

Some practices have begun asking patients for permission to take a photo that is added to the patients’ medical records to aid staff in future identification. Photocopying the patient’s identification may also be helpful.

You should also have policies and procedures for securing your practice’s financial information. Limit access to information about the business side of the practice, including employee records and salaries.

Training staff
Training is critical for an effective identity theft prevention program. Staff and physicians should know what the red flags are and how to respond appropriately. They must understand the seriousness and the impact of medical identity theft. Periodic training will keep everyone alert and active in preventing potential liability and loss of practice revenue.

Updating the program
Methods of identity theft are constantly evolving. Review and update your program regularly. New business arrangements (mergers, alliances, or changes in provider arrangements) should trigger a review and update. Although the guidelines do not define how frequently you should update your program, a quarterly review by practice physicians and staff would be beneficial.

Preventing and mitigating identity theft
If an identity theft situation occurs, you should have procedures in place for responding to the breach in security. The detection of red flags or any unusual activity related to patient records must be brought to the attention of a physician or senior level manager who can determine what action to take. In some cases, for example, you might contact the patient directly, notify law enforcement, close a patient record and create a new one, change passwords, and/or change security codes to prevent future identity theft.

Administering the program
The responsibility for administering the program depends upon the legal entity of the practice. For example, in an incorporated medical practice, the board of directors or executive committee would be responsible; in a sole proprietorship, the physician or a senior level management employee would be the administrator. Consult your legal advisor on this issue.

Avoid penalties by acting now
The new rules require you to have a written identity theft prevention program; under the Fair Credit Reporting Act, you could face monetary penalties if you don’t comply. Because programs are developed based on risk and flexibility, the FTC will determine whether you’ve made a good faith effort to comply. From a practice management best practices standpoint, an identity theft prevention program can protect both patients and the practice from significant harmful effects.

Marty Krawczyk, a practice management coordinator in the AAOS practice management group, can be reached at krawczyk@aaos.org


  1. The full text of the Final Red Flag Rules, Section 114 of the Fair and Accurate Transactions Act (FACTA) http://www.fdic.gov/news/board/07Oct16nine.pdf
  2. Consumer Identification Programs for Financial Transactions http://www.privacyrights.org/fs/fs31-CIP.htm#A
  3. Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The World Privacy Forum (September 24, 2008) http://www.worldprivacyforum.org/