RED FLAGS RULE POLICY
This Red Flags Rule Policy is for _________________________[insert name of office].
Recognizing that while in the course of caring for and treating patients and while in the
business of providing medical care patients this office has been entrusted with sensitive
information related to patient’s identity including, but not limited to medical identification
numbers, social security numbers, drivers license numbers, credit card information, tax
identification numbers, insurance claim information, business identification numbers,
employer identification numbers, personal health information, background check
information and other types of information related to patient identity that should be
reasonably safeguarded from any intentional or unintentional use or disclosure that is
A “Red Flag” is a pattern, practice or specific activity that may indicate the possibility of
identity theft occurring within this medical practice. These “Red Flags” are in addition to
fraud prevention and any other security practices that are currently in place. The FTC
identifies notice from a patient, a victim of identity theft, a law enforcement agent or
someone else that an account has been opened or used fraudulently as a Red Flag for
all businesses. From an assessment of this practice, other Red Flags have been
identified as set forth below.
Therefore, this Red Flags Policy has been developed to detect and prevent medical
identity theft and to comply with the Red Flags Rule of the Federal Trade Commission
(FTC) as of November 1, 2009, adopted by _____[physician, Board of Directors,
appropriate representative or office]________________ on ____[date]___________.
This policy shall be reviewed and approved at least annually.
The designated employee to administer this policy is ______________________. This
employee has the responsibility to administer and oversee this policy as it is
implemented in this medical practice to reasonably and safely protect health information
and sensitive information related to patient identity from disclosure. The designated
employee will also assure that all staff receives training on the policy and procedures.
Finally, the designated employee will make arrangements to apply this practice’s policies
with any service providers of the practice.
It is the policy of_____________________ [name of office] that all members, employees
and contracted services have been trained by November 1, 2009 about the policies and
procedures of this office to comply with the Red Flags Rule. This office will provide
training for any changes in persons involved and when there are changes to the Red
Flags Rule and will require participants in the training to sign and date and document the
training and when training occurred.
The Red Flags policies are in addition to the HIPPA requirements for security, any other
federal or state laws regarding identity theft or recordkeeping involving sensitive medical
information pertaining to individual patients.
Identification of Red Flags (add to this list if needed)
The following are identified as potential Red Flags:
Notice from a patient, a victim of identity theft, a law enforcement agency, or someone
else that an account has been opened or used fraudulently.
Records showing medical treatment inconsistent with physical exam or medical history
of the patient;
Coverage for a legitimate service is denied because insurance benefits have been
depleted or a life time cap has been reached;
Complaint or question from patient about information added to a credit report by a health
care provider or insurer;
Complaint or question from patient about a billing where the patient claims identify theft;
Complaint or question from patient about a billing where the patient was not aware of the
medical service being provided or the provider;
Patient who is unable to provide an insurance card or other documentation of insurance
but claims to be insured with a particular number.
Detection of Red Flags (add any specific detection that applies to your office)
All staff will be alert to detect Red Flags or any other suspicious activity that might
indicate identity theft is occurring. In order to be alert for identity theft that we have
identified, the following procedures will apply:
Instruct new patients to bring photo ID and an insurance card to their appointment for
verification together with proof of address. Staff will verify identity of new patient and
Staff will verify the identity of all patients including requesting photo identification for
those patients who are unknown to staff. Staff will update patient information on a
regular basis, at least annually.
Only personally identifiable information that is needed in the practice will be maintained
as a record within the practice.
Sensitive data will be protected in the collection, retrieval and storage processes within
the office. Access to sensitive data will be limited to those needing such information and
protected with proper security measures and proper disposal of sensitive data will be
If any Red Flags are identified, the employee should obtain the documentation and
report the incident to the designated employee who administers this policy.
Additional Detection that applies to this office:
Response to Red Flags (add specific responses that apply to your office)
Our office will respond to Red Flags that have been identified and detected in the
• If any Red Flags are identified, the employee should obtain the documentation
and report the incident to the designated employee who administers this policy.
• The designated employee administrator will determine if the activity is fraudulent
and then specific and immediate action will be taken which may include:
o Not opening an account or cancelling an account or transaction
o Contacting the affected patient
o Notifying appropriate law enforcement
o Contacting or assisting the patient to contact any other health care
o Encouraging patients who claim identity theft to fill out the FTC’s ID Theft
o Compare the information within the practice with the records in question
and determine whether medical records are likely to be affected. If so,
document the identity theft in the medical records.
If the designated employee administrator determines that the patient has not been a
victim of identity theft, the office will take whatever action is deemed to be appropriate.
Other actions that apply to this office include:
Administration (Insert names, dates and check all that apply)
Our program and policies have been approved as set forth above and we have a
designated employee to assist in administering this program.
The staff will be trained as indicated:
Staff Member Date(s) Trained
Service providers include any outside person or company who handles or deals with
accounts or who may have access to information contained within our offices.
_____ We do not use any outside contractors in connection with any accounts covered
by the Red Flags Rule.
______We have identified the following service providers in connection with accounts
covered by the Red Flags Rule and indicate training.
Service Provider When Trained
We plan to update our program and review this policy annually with the next scheduled
review scheduled for __________________________[date] and/or when any of the
______When notified of changes in the Red Flags Rules.
______When identity theft has been experienced by this office.
______If we significantly change the manner and method of how we do business.
Other Administration information for this office:
All practices should have an attorney of their choice review their Red Flags Rule
Policy prior to implementation.