Red Flag What Now?

by Tiffany Lauria

Ask any of the physician practices that were scrambling to meet the June 1st deadline for implementing the ‘Red Flags Rule’ about the decision to delay through December 31st and you are sure to be greeted with a chorus of ‘whew’ and  ‘thank goodness’.

To further ease the pain of their efforts, the AMA just recently posted that FTC Chairman Jon Leibowitz is in agreement that physicians should not be required to comply with the hotly debated rule. There have been no changes to the regulation, so practices still have to be prepared for a January 1, 2011 start; however this recent development bodes well for thinking that practices may be legally exempted at some point in the near future.

Speaking at the AMA annual meeting on June 14th, Mr. Leibowitz declared, “We feel your pain on red flags, and we want to fix it”.[1] From a practice management standpoint, why is this rule, which is intended to help identify, prevent and mitigate identity theft, such a hot button issue in the physician practice world? Simply put, more rules and regulations mean more work and expense on the part of the practice.

The ‘Red Flags Rule’, which stems from the Fair and Accurate Credit Transactions Act of 2003, lists a number of steps that must be undertaken by those entities that apparently meet the criteria for needing to comply with the regulation. Included among these steps are the determination of policies and procedures in the physician practice to identify red flags, or warning signs of identity theft, detect and respond to any of these flags, continually update these polices to keep up with changes or new flags that may be identified over time, get these policies reviewed and approved by practice management and finally, train practice staff on these policies and (here’s the kicker) actually implement and follow through with them.

Certainly, no one is debating the need for increased security of personal and financial information, and rightly so, the regulation is designed to put consumer interests first and foremost; however, physician practices are fighting a daily battle just to survive. Decreased payments, increased regulations, revolving payer policies, new technologies and, in the case of smaller practices, large entities eating up the business all combine to make keeping the doors to the practice open more difficult each day.

Add to this, the federal government declaring that your practice must spend a chunk of time identifying and preparing these policies and the loss of productivity of managers and staff during repeated training sessions and this equals a cumbersome requirement to an already overburdened practice. Further, implementing these policies may require a complete overhaul of practice administrative procedures, and may necessitate new technologies in the practice, a difficult thing to accomplish when there is a contested debate on whether physician practices truly meet the criteria for complying with the rule.

So what should a practice be doing right now to help protect patients from the potential for identity theft? A good place to start is by reviewing your current administrative and information storage procedures with an eye on how well your practice does on keeping patient information confidential.

– Are your billing staff dealing with patients at the front desk area or is there a private area where they can discuss patient items such as credit card numbers and balances?
– If your receptionists need to ask patients for a social security number or date of birth, do they provide them with a pen and paper to write the information down or is it relayed to them verbally while other patients wait in the area to be checked in?
– Are shredders or a document shredding service utilized and do staff know which documents and information must be destroyed?

Also, review your staff usernames and passwords policies, making sure that staff understand the consequences of sharing usernames and passwords, use usernames and passwords that are more complex than just first and last names, and if possible, restrict access to certain program areas to staff members that truly have a need for access (e.g. if your medical assistants never do billing functions, restrict their access to patient credit card numbers on file).

There are a number of ways in which practices can minimize the potential for identity theft and exceed HIPAA expectations for privacy and protection, regardless of whether it is determined that physician practices must comply with the ‘Red Flags Rule’ starting in 2011.

Take a look now at what your practice is doing to educate staff and protect patients, and consider having an outside expert do a quick assist in identifying areas for improvement or implementing policies that may increase efficiencies without increasing cost. While practices may be overburdened in many areas, doing things right the first time will always be faster and cheaper in the long run.

[1] Stagg Elliot, Victoria and amednews staff. (2010, posted June 28). AMA meeting: Physicians should not fall under “red flags” rule, FTC chair says. American Medical News. Retrieved from

For more information on FTC Chairman Jon Liebowitz’s comments at the AMA Annual Meeting, visit: