Skip to content

Rule To Prevent Medical ID Theft Angers Doctors

  The last time you visited the doctor, were you asked to show a photo ID? Right now, it’s up to the doctor.  But a new Federal Trade Commission regulation, called the ‘Red Flags Rule,’ may make such checks mandatory.

  The rule, which calls for “financial institutions and creditors to develop and implement written identity theft prevention programs,” also extends to medical providers and hospitals. The reason?  To prevent the lesser-known crime of medical identity theft.

  Consider Janet Phifer, a 47-year-old Maryland woman who works at a Navy base day care center.

   Phifer arrived home one day to find several suspicious letters from her health insurance company, detailing a series of doctor visits she knew nothing about. At first, she hoped it was just an accounting error. The statements explained that TRICARE, the military insurance that Phifer has as a result of her husband’s service, would be covering the in-patient services provided at a New Jersey practice. “I was surprised and shocked because I’ve never been to New Jersey,” she says.

   Phifer soon discovered that a thief had used her personal information to obtain medical care. Armed with as little as a stolen name, Social Security number and date of birth, an imposter can walk into a doctor’s office or hospital and receive services billed to the victim or his or her insurance provider. Although few statistics are available, The FTC reports that medical identity theft accounts for1.3 percent to 3 percent of all identity theft crime — about 250,000 of the approximately 9 million cases of identity theft each year. In Phifer’s case, the thief was able to obtain various medical treatments by using her insurance information. Sometimes, tens of thousands of dollars in medical bills are charged directly to the victim, damaging people’s credit reports and triggering financial hardship.

The FTC hopes that the new regulation, which is set to take effect on Aug. 1, will solve part of the problem. Physicians’ offices and hospitals, among other businesses, will be required to create new protocols to spot the “red flags” of identity theft. These could include spotting fake or altered IDs, inconsistencies in a patient’s medical records or fraud alerts from consumer reporting agencies.

Doctors are not only required to follow procedures that allow them to detect these warning signs effectively but also to spell out what they’ll do when they find something fishy. Physicians would likely plan to alert the victim and avoid sending out a bill for services.

But medical groups, including the American Medical Association, insist the rule is misguided and an unfair burden to physicians.

Their reasoning in part comes down to the actual language of the law. The statute specifies that all “creditors” – defined as businesses that regularly extend or renew credit – are required to implement the new protocols. That includes auto dealers, lawyers, utility companies and, according to the FTC, any physician’s office or hospital that accepts insurance or allows a payment plan.

In several letters to the commission, the AMA and nearly 100 other physicians’ groups argue that although doctors defer payment for services, they are not creditors. According to one of the letters, the rule imposes an “unjustified, unfunded mandate on physicians” and could have “serious adverse consequences” on patients’ access to health care.

Dr. Ardis Hoven, an AMA board member and infectious disease specialist in Lexington, Ky., says the rules “add another degree of regulatory admission for physicians and patients to a system that’s already burdened with responsibilities.” Although the AMA recognizes the problem of medical identity theft,  Hoven said her worry is that the regulations could “severely impact” a doctor’s administrative work load.  Hoven also is concerned about the barrier the rule could present to patients. “In my practice, patients arrive acutely ill. The last thing I want is my patient to be detained at the check-in desk when they’re having acute medical problems.”

But Betsy Broder, who oversees the FTC’s Red Flags program, says patients won’t notice much of a difference at the doctor’s office. They might be asked to show a photo ID when they arrive, but most of the changes will affect doctors behind the scenes. She also notes that the extent of the policies a physician would need to put in place depends on the risk of identity theft at each particular office. A small office with a regular patient base, for example, is less likely to confront an imposter than an office that receives many walk-ins.

Unlike the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996 and provides certain federal protections to people’s health information, the new rule is not designed to secure patient records. Instead, the Red Flags measure focuses on preventing people from using information that has already been stolen.

The regulations, which were developed under the Fair and Accurate Credit Transactions Act of 2003, technically went into effect on Nov. 1, 2008. But beginning Aug. 1, penalities will begin to kick in. Creditors – including doctors or hospitals – could be slapped with a $3,500 fine for each “knowing violation” of the rule. Broder says the FTC will monitor consumer complaints to look for any patterns of theft at a particular office to pursue investigations. But she adds that “at this early stage, we will be looking for good faith efforts at compliance.”

Pam Dixon, executive director of the World Privacy Forum, an organization that has written several reports on medical identity theft, says the new obligations for doctors are well worth the protections the rule affords to potential victims.

As for the protests from doctors, Dixon says, “the health care sector is where the financial sector was 10 to 15 years ago.” But as more cost and incidence data emerged, the financial sector realized they needed to take action. “Ultimately it’s in the providers’ best interest to work on resolving this problem earlier than later,” she says, adding that aside from being one of the most expensive forms of identity theft, the medical variety also is one of the most difficult types to remedy because a victim’s medical records can be nearly impossible to clear.

Phifer, the woman whose TRICARE insurance paid for someone else’s coverage, has called the military insurer several times and visited its office on the naval base near her home. But so far, she has been unable have her records corrected, although she hasn’t been charged for any of the imposter’s visits. “I felt nervous and then after it started sinking in, I started feeling angry. My husband was 20 years in the military to get those benefits, and someone came and just used it,” she says.

The FTC’s Broder says victims like Phifer should be concerned about the resulting inaccuracies in their medical records, which can have serious health ramifications. “Consider the consequences of a diabetic whose records are corrupted by someone who is not diabetic,” she says. That person may then be treated with the wrong protocol the next time they visit the hospital. “As we move towards electronic health records and the consolidation of information, there’s an even greater likelihood of corrupting medical records as a result of medical identify theft,” Broder adds, although electronic records could also make it easier to detect and track inconsistencies in a patient’s information.

But while the debate over the Red Flags Rule continues, some say there are much more pressing medical crimes to consider, such as the more widespread issue of Medicare fraud, which includes charging Medicare for services that were never rendered. Alex Acosta, U.S. Attorney for the Southern District of Florida, a hot spot for Medicare fraud, says he has prosecuted over $2 billion worth of fraud in the past 2 ½ years, and none of it was related to the kind of medical identity theft protected by the Red Flags Rule. “While prevention of medical identity theft is important, ultimately you’re playing at the margins here-you’re not addressing the central problem,” he says.