It’s almost May. Are you ‘Red Flags Rule’ Compliant?

Effective May 1, the Federal Trade Commission’s ‘Red Flags Rule’ will take effect. The rule is intended to help reduce situations involving identity theft and protect consumers’ sensitive information that could be fraudulently used. In looking to facilities with access to patients’ financial information, the government hopes these facilities can help identify and respond to situations involving potential identity theft before serious identity theft problems occur.

Particularly in the long-term care setting, the act is intended to reduce medical identity theft—when a person’s name and insurance information is used without consent to obtain or make false claims for goods or services. It is also in the best interest of the facility to identify suspicious activity on accounts in order to minimize the amount of ‘write-off’ losses.

Examples of potential situations that should trigger the ‘red flag rule’ inquiry by a facility:

· Questions from someone other than the patient himself regarding a bill

· Obviously incorrect addresses and telephone numbers

· Suspicious activity relating to a patient account

· Insurance claim information that does not correspond to a resident’s name and account

Who does the Red Flag Rule apply to?

This broad-based act applies to all entities considered to be a ‘creditor’ under FTC guidelines. All nursing homes and long-term care facilities are impacted by the act because they extend credit to residents regarding payment for services.

The act defines creditors as: ‘[A]ny person who regularly extends, renews, or continues credit; any person who regularly arranges from the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”

How can a facility comply with the rule?

The rule requires facilities to have ‘reasonable’ policies and procedures in place to protect patient information. In the long-term care setting, compliance with the rule is much easier than a high volume physician’s practice. In fact, most facilities would likely be in compliance with the rule if they have a few simple steps in place for new admits to their facilities, such as:

  • Train staff how to identify medical identity theft red flags
  • Institute policies to verify patient identity
  • Assign a staff member to investigate episodes involving discrepancies involving patient information
  • Keep resident’s vital information off of as many documents as possible
  • Alert authorities of suspicious circumstances
The implementation of basic security precautions should eliminate their liability relating to the safeguarding of residents’ privacy. Only in situations where facilities ‘knowingly’ violate their policy would a penalty be dispensed. The act allows penalties of up to $2,500 per violation. The government’s How-to-Guide on complying with the law is located here.

Jonathan Rosenfeld is a lawyer who represents people injured in nursing homes and long-term care facilities. Visit his personal blog at

Topics: Articles