Medical Identity Theft and the Red Flags Rule

Continuing our Health Information Privacy and Security Week series, today Chris Apgar, CISSP, president of Apgar & Associates LLC, takes a look at medical identity theft within the context of the Red Flags Rule.

Much is reported in the news about identity theft including new catchy commercials that are intended to prompt consumers to pay attention to their credit record. What isn’t mentioned is the threat of medical identity theft. Identity theft is primarily a financial crime while medical identity theft can directly impact an individual’s ability to seek healthcare and health insurance coverage.

Medical identity theft can result in the thief obtaining expensive health services under someone else’s name or purchasing insurance coverage based on someone else’s clean bill of health. When the bills come due, the provider will look for payment from the individual who was the victim of medical identity theft.

When attempting to purchase insurance, the individual with the clean bill of health may find charges for, say, chronic conditions of the thief, which results in the individual finding insurance coverage is no longer available or is very expensive.

New regulations will soon be in force that will require certain organizations implement programs to prevent identity theft and medical identity theft. The new regulations, the Red Flags Rule, are a result of the Fair and Accurate Credit Transaction Act of 2003. The new regulations are effective May 1, 2009.

The regulations, published and to be enforced by the Federal Trade Commission, affect organizations classified as “creditors.” Creditors are organizations that maintain consumer accounts that are classified under the rule as “covered accounts.”

An account is a covered account if partial payment is made with an additional payment made later or when multiple payments for a given service or product occurs. This does not include credit card companies.

In the medical world, most providers are considered creditors because they maintain patient accounts where multiple payments are made. As an example, a patient receives medical services, the provider bills the insurance company and later bills the patient for the balance.

The rule doesn’t just cover what are classified as covered accounts. If a provider even has one covered account, the provider is required to implement an identity theft protection program that includes all patient accounts.

The purpose of an identity or medical identity theft protection plan is to identify flags or triggers that would indicate identity theft may be occurring. As an example, if a patient presents what appears to be altered or forged identification, that would be a flag. If a new patient provides the same billing address as an existing patient (and is not family), that is another flag. The purpose is to take steps to prevent identity and medical identity theft from occurring rather than finding out after the fact.

This directly ties with existing breach notification laws and the HIPAA security rule requirement to form a security incident response team. The team would likely be responsible for following up on reported flags. The breach notification laws are the other side of a protection program. The Red Flags Rule is intended to be preventive while breach notification requirements are reactive.

Most provider and some health plans are required to comply with the Red Flags Rule effective May 1 this year. If the Red Flag class of “creditors” has not started preparation to comply, time is quickly running out.


  1. It is amazing the lengths people will go to to get services. I wonder how often this happens?

    Surely we need some significant health care reform to make sure there is adequate insurance coverage for all.

    Post a Reply
  2. Many organizations are experiencing an increase in potential medical identity theft cases due to the status of the economy. People have lost their jobs, their insurance, and need care, so they do whatever they need to do to get that care.

    Post a Reply
  3. I wish that this did cover credit card companies. This should be reconsidered in light of fraudulent credit card applications made with stolen SSNs.

    Post a Reply
  4. I agree credit card companies should have been directly covered by the Red Flag Rules. Credit card companies, though, are covered by the Gramm-Leach-Bliley Act (GLB) which is the finance industry’s version of HIPAA. It does not include specific identy theft protection requirements, though. Many state identity thef laws require notification of breaches but that does not include a requirement to implement an identity theft protection program.

    Post a Reply
  5. My understanding of the legislation is that Medical Identity Theft was always part of the Red Flag rule. I found verification of this in information I received from the National Coordinator of Health IT Office. That information is from October 2008 and says that the FTC’s November 9, 2007 Red Flag Rules extend to “entities outside of the traditional financial institutions, including entities in the health care industry.” The reason I know/ learned this is my Medical ID was illegally used by a couple of employees working for one of the big health insurance corp. It was still fraud, regardless of the red flag rule, but if enforcement of the red flags rule had started, I wonder if they could have gotten away with it.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!