Q: I understand that there were some rules implemented this year regarding identity theft. Is there something I must do, or am I exempt because I am an acupuncturist and most of my patients pay cash?
A: You are correct that there was further implementation of HIPAA regulations, under the Federal Trade Commission, to protect patient privacy of their health information.
Essentially, it's to prevent someone from using another person's name or identifying information to submit invoices, statements, bills, insurance billing or for other purposes consistent with collection and reimbursement of health care services. Therefore, any provider who bills for services, even simple cash transactions, would need to follow the new regulations to prevent identity theft.
It has been misconstrued that privacy regulations do not apply if you do not bill insurance or bill electronically. In fact, privacy rules do apply to all providers, as a patient has a right to the privacy of their medical information. All health care providers have a duty to ensure the protection of the patient's private health information. However, the level of standards and procedures required in each office can vary greatly. Certainly, if you are not doing electronic billing, the privacy regulations pertaining to electronic data need not be followed. However, just because you may not do that particular type of billing does not exempt you from the overall rules of privacy, and that is the case here.
Don't feel intimidated by this. It simply requires you have a written protocol that outlines what your office does to recognize and prevent identity theft; more specifically medical identity theft. The following is a simple format for a document of compliance that would be entitled Detecting Red Flags of Identity Theft. This example is for a small health care practice with a well-known, limited patient base and a low, minimal or non-existent risk of identity theft. The following activities are used in identifying red flags:
- All prospective new patients are required to establish their identity by producing for photocopying an unexpired driver license or state identification card with a photograph. The license or identification card is examined to determine whether it is current and appears to be valid. Specific holograms and other markings are examined for authenticity. The absence of these features indicates that the license or identification card is counterfeit.
- The name and address information on the driver license or identification card is compared to the address on the insurance information furnished by the new patient. Any discrepancies must be resolved.
- The name and address information on the driver license or identification card is compared to any credit card or bank check produced for payment of services. Any discrepancies must be resolved before accepting payment.
- Prospective patients are requested to fully complete intake forms and produce for photocopying insurance cards or other proof of insurance. The information on the completed intake form, insurance card or other proof of insurance is compared with the driver license or identification card. Any discrepancy must be resolved.
- The prospective patient is not accepted as a new patient until all of the aforementioned discrepancies are resolved.
- All staff are trained to follow the above-listed identification and detection factors.
That is essentially all that is needed, as this serves as a written protocol for compliance with the new regulation. For the most part this is likely something you were inherently doing, and is simply now documented to meet the regulation. However, for those who request it, I will send a complete compliance document for this regulation that includes more detail, as well as specific follow-up protocols when there may be a discrepancy. Please request the "Identity Theft" document at my e-mail address: .
Click here for more information about Samuel A. Collins.