RED FLAG LAW made EASY! HIPAA made EASY. Training, Implementation & Sign-off Sheets

Transcription

1 HIPAA made EASY RED FLAG LAW made EASY! Training, Implementation & Sign-off Sheets HIPAA MADE EASY / 2009/2017 All Rights Reserved 104 HIPAA MANUAL TO OMNIBUS RULE STANDARD

2 The RED FLAG LAW is a federally mandated law that must be in place and operating in your office by May 1, It is a prevention from IDEN- TITY THEFT for your patients who may opt to make payments for their healthcare treatment. Healthcare practices must review billing and payment procedures and know the law and how to enforce it. Red Flag simply means suspicious actions surrounding a patient s payment/ identification practices. For instance, they do not provide an authentic looking ID when opening an account with your office, or their credit card does not match their ID. Read on to learn the full intent of the law and how to abide. KEY TERMS TO KNOW: Creditor: Healthcare providers may be subject to the Rule if they are Creditors. Although you may not think of your practice as a Creditor in the traditional sense of a bank or mortgage company, the law defines Creditor to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a Creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, healthcare providers who regularly allow patients to set up payment plans after services have been rendered are Creditors under the Rule. Healthcare providers are also considered creditors if they help patients get credit from other sources for example, if they distribute and process applications for credit accounts tailored to the healthcare industry. On the other hand, healthcare providers who require payment before or at the time of service are not Creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under HIPAA Rule. Covered Account: Is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally covered accounts under the law. If your organization or practice is a Creditor with Covered Accounts, you must develop a written identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts. Understanding Identity Theft Identity Theft is fraud committed or attempted using the identifying information of another person without authority. Identifying Information Is any name or number that may be used, alone or in conjunction with any other information, top identify a specific person, including any Name Date of Birth Identification Number Passport Number Social Security number Official Driver s License Alien Registration Number Employer or Taxpayer Identification Number HIPAA MADE EASY / 2009/2017 All Rights Reserved 105 HIPAA MANUAL TO OMNIBUS RULE STANDARD

3 Also, any unique biometric data, such as: Fingerprint Retina or Iris Image Voice print Other unique physical representation Any unique electronic identification number, such as: Address Telecommunication ID Routing code Access Device (as defined in 18 U.S.C. 1029(e)). By now, you are familiar with the HIPAA Administrative Simplification Privacy and Security Rules, note that these identifiers also are pertinent to the definition of protected health information in oral, written, or electronic formats. Attached is the official Fighting Fraud with the Red Flag Rule Business Guide for an outline of a Four Step Process for compliance with the Red Flag rule. These steps (outlined below) are in more detail in the business guide. Please fill in the Red Flag Rule Made Easy Worksheets at the end of the official guide to make your office fully compliant. FOUR STEP PROCESS FOR RED FLAG COMPLIANCE: 1. Identify Relevant Red Flag Identify the red flags of identity theft you re likely to come across in your business. 2. Detect Red Flag Set up procedures to detect those red flags in your dayto-day operations. 3. Prevent and mitigate identity theft If you spot the red flags you ve identified, respond appropriately to prevent and mitigate the harm done. 4. Update your Program The risks of identity theft can change rapidly, so it s important to keep your Program current and educate your staff. As a healthcare Covered Entity, you will note that these steps once completed, will take you to compliance for this new Red Flag Law. It will also be necessary to periodically update other HIPAA Security Rules. For more information, keep in close contact with HealthcareEnhancements.com or use these resources: National Institute of Standards and Technology (NIST) Special Publication Revision 1 (October 2008), which is available for download on HIPAA.com under Security. ** Excerpts from: Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Ed Jones, Author & Healthcare Authority HIPAA MADE EASY / 2009/2017 All Rights Reserved 106 HIPAA MANUAL TO OMNIBUS RULE STANDARD

4 Fraud-Prevention Guidelines in accordance with HIPAA and Red Flag Law Office: Date Implemented: Listed below is our official procedure for Fraud-Prevention at this facility. These guidelines were developed in accordance and comply with HIPAA s Red Flag Law. All employees have been trained and agree to uphold the following courses of actions: 1. Relevant Red Flags in our Business: Fake ID (Driver s License, Passport, Credit cards, Insurance Cards) ID appears to be altered or forged No ID No address or proof-thereof Signature does not match IDs Social Security or Employee IDs do not match or exist Will not take a patient photo ID for our files Patient completes forms with mismatched info Patient cannot answer personal info without looking at IDs Patient leaves pertinent parts of application blank Soon after patient gives us info they want to CHANGE info associated with the account Credit card info that keeps changing at repeated visits We receive unauthorized notices from credit card company or banking institution 2. Detect Red Flags: Reception Personal as well as Healthcare Providers will read and re-read info for inconsistencies and report any to each other. All new patients must provide a current ID that we can copy, inspect and keep in their record. All credit card and personal check paying patients will be asked to supply their matching ID. All Personal Checks will have to match ID on file. Suspicious candidates will be asked to have a seat in a private area and we will call credit card company or banking institution to verify authenticity. Such patients will be asked to pay in advance in cash at future appointments, unless matching IDs can be provided. Do a Google Search on said individual, check with police department or Department of Motor Vehicles. 3. Prevent & Mitigate: Close the account (depending on circumstance, open a new one). Report the account as improper to banking institution, credit card company and or police. Monitor the account for evidence of future foul play. 4. Update our Program: as needed HIPAA MADE EASY / 2009/2017 All Rights Reserved 107 HIPAA MANUAL TO OMNIBUS RULE STANDARD

5 Fraud-Prevention Policy ADMINISTRATOR S APPROVAL For the Office of: Practice Name: Doctor Name(s): Address: Phone: Management Administrator: As Management Administrator for this facility I, do hereby acknowledge, that all current employees have been thoroughly trained, have the proper knowledge to carry out the said Fraud Prevention Policies as stated above. This has been designed and will be carried out in accordance with HIPAA s Fraud-Prevention requirements and Red Flag Laws. [15 U.S.C. 1961a(e).], [16 C.F.R 603.2(a)], [ (1)(a)], [41.90(d)(1)]. Date: Print Name: Signature: HIPAA MADE EASY / 2009/2017 All Rights Reserved 108 HIPAA MANUAL TO OMNIBUS RULE STANDARD

6 RED FLAG Fraud-Prevention Policy EMPLOYEE TRAINING ACKNOWLEDGEMENT In signing this document, I declare that I have been fully trained understand the materials and steps necessary to carry out and enforce the Fraud-Prevention Policies and Practices for this facility. I will fully abide by these practices in accordance with our Administrator and Federal Law. DATE PRINT NAME SIGNATURE HIPAA MADE EASY / 2009/2017 All Rights Reserved 109 HIPAA MANUAL TO OMNIBUS RULE STANDARD