|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story July 8, 2009 Surprises Arise as Hospitals Struggle With FTC's Red Flags Rule Reprinted from REPORT ON MEDICARE COMPLIANCE, the nation's leading source of news and strategic information on false claims, overpayments, compliance programs, billing errors and other Medicare compliance issues. By Nina Youngstrom, Managing Editor, (nyoungstrom@aispub.com) As hospitals and health systems implement the FTC Red Flags Rule, they are confronting unanticipated challenges. These challenges include unforeseen compliance angles involving post-acute care and the National Patient Safety Goals, and patient misrepresentation that can set off alarm bells but isn't necessarily what it seems. The Red Flags Rule, which the FTC will start enforcing Aug. 1, requires certain organizations to have an identity theft mitigation and detection program. It's been well-established that many health care entities are subject to compliance with the rule because of their billing and collection practices. Failure to comply can mean civil monetary penalties, but not criminal penalties, for violations. According to the FTC, a red flag is "a pattern, practice, or specific account activity that indicates the possibility of identity theft." Red flags include:
Employees at Ohio State University Medical Center (OSUMC) have apparently been paying close attention to its identity theft and medical identity theft education and mitigation program. In the months following the multi-faceted training program, which is required by the FTC to help organizations identify and mitigate identity theft, employees have become aware of red flags that may indicate identity theft. "We have lots of different red flags rolling in," Privacy Officer Jennifer Cironi tells RMC. "We are trying to triage." That means separating potential identity theft, which will be investigated by OSUMC's "red flag response team," from minor clerical errors (two patients with the same names), which can easily be resolved by the medical information department. One incident in particular has confirmed both the peculiar turns that identity theft can take and the effectiveness of OSUMC's program in terms of identifying abuses of identities and uncovering the reasons behind it for purposes of mitigation. Here's the story: A man called the hospital to complain that he was getting bills for hospital care he never received. OSUMC checks out these stories carefully because one side effect of the publicity about identity theft is that unscrupulous people sometimes use it as a ploy to try to evade paying their medical bills. But this case was immediately suspicious because the computer indicated that the man on the phone was at that moment an inpatient at OSUMC. Either a flagrant case of medical identity theft was in progress, or something else was afoot. The latter turned out to be true, Cironi says. When the red flag response team started poking around, it couldn't understand what the inpatient's motive was. He had insurance coverage, so he didn't need to steal the caller's insurance. The nurses thought the patient was malingering; hospital staff at one point speculated that the caller was actually one and the same as the inpatient. They thought maybe he snuck downstairs and used his cell phone to call patient accounting from inside the hospital. Finally, however, the caller figured out that his own cousin was the imposter, checking into the hospital under the caller's name. But the reasons were inexplicable. As the hospital's investigation unfolded over the course of a week, it became clear that the inpatient actually believed he was his cousin. It turned out the inpatient had a number of illnesses, and they had some effect on his perception. "Ultimately, we think he really believes he is someone else. We don't think he had any criminal intent," Cironi says. "His health issues likely affected his perception." This conclusion was bolstered by the fact that the inpatient has been treated at the hospital a number of times, and had used his cousin's identity those times as well — again, for no apparent reason because both have insurance. Given the findings, there were no consequences for the inpatient. The next step: The hospital focused on cleaning up the medical-records mess that was created by one cousin thinking he was the other. The cousin who was not hospitalized is healthy and has received few services, so the hospital had to make sure all the treatment information related to the sick cousin's treatment was stripped from the healthy cousin's records and placed where it belonged. That way, if and when the healthy cousin presents at the hospital, the medical records will be accurate. Insurance claims were also rectified so the healthy cousin's insurance company was refunded for claims it paid on his behalf, and the sick cousin's insurance company was billed instead. The lesson learned was never to take potential identity theft at face value. "Our team spoke to staff and told them not to get jaded. You have to keep an open mind and consider the entire picture," Cironi said. Post-Acute Care Raised Red-Flag Questions As Catholic Healthcare Partners (CHP) approached Red Flags Rule compliance, it realized it "faced a unique set of challenges" with post-acute care, including home health, long-term care and skilled nursing facilities and durable medical equipment suppliers, says Cheryl Rice, interim corporate responsibility officer at the Ohio-based health system. With these entities, patients don't walk off the street; they are referred by hospitals and physicians, where they have already been through an extensive registration process. But the post-acute care entity may have minimal information on the patient at the first encounter or assessment session. "One of the questions that came up is, can we assume hospitals and doctors did all the proper screening for identity theft since they were referred to us?" Rice says. Because the Red Flags Rule holds each provider responsible for compliance, post-acute care entities must have their own Red Flags policies and procedures. Rice explains that each post-acute care entity will typically have a separate provider number from the hospital or physician office. Post-acute care entities can use information provided in the referral to supplement their efforts, but they should not automatically assume that the referral source did the identity check. "Although post-acute care providers would be considered a low-risk organization for identity theft, they still need to demonstrate a good-faith effort to comply with the FTC requirements in terms of having safeguards and mitigation efforts in place," she says. "CHP affiliates are looking to network with their referral sources for post-acute care to see what information can be shared in the transfer and referral process to further both parties' compliance efforts with the Red Flag Rule." Consider Other Demands for Identifiers But there's a twist that complicates compliance. The Joint Commission requires health care organizations to meet National Patient Safety Goals (NPSGs) to improve patient safety. Among other things, health care organizations, including acute-care and post-acute-care entities, must "reliably identify the individual as the person for whom the service or treatment is intended" and "to match the service or treatment to that individual." In other words, is Mr. Smith, who is about to have his leg amputated, the correct Mr. Smith who is scheduled for an amputation? To confirm that, the Joint Commission requires health care organizations to obtain two patient-specific identifiers. "All post-acute settings rendering treatment are subject to the Red Flags Rule and have to abide by the two-identifier National Patient Safety requirements," Rice notes. It's burdensome for patients and health care organizations alike to deal with repetitive identification. So Rice said CHP sought to figure out which kinds of identification would fulfill both the Red Flags Rule and the National Patient Safety Goals. A utility bill may ease concerns about identity theft, but isn't sufficient for NPSGs. A driver's license with photo, eye color, birth date and address would cover both bases, she says. If patients lack a driver's license, "caregivers may have to ask for a combination of identifiers to meet both requirements," Rice notes. For example, a utility bill provides the name and address to meet the Red Flags Rule and one identifier under NPSG, while a verbal birth date covers the second NPSG identifier. In another
Red Flags Rule challenge, CHP's affiliates have realized there are certain
populations, such as the Amish, who lack mainstream methods of identification.
Amish people don't have Social Security numbers, she says. "They
won't let you take their picture," and they don't use electricity,
so forget relying on utility or cable bills, Rice adds. The closest
thing to insurance is the Amish Society, which helps pay for treatment,
but it doesn't use conventional identifying information. Their lives
are modest so it's unlikely someone is trying to co-opt their financial
identity, but someone could pretend to be Amish to get care under one
of their names, Rice says. "The hospital would be at risk if you
rendered care for someone not Amish or if the Amish Society paid for
care for someone not Amish," she says. So CHP still tries to get
at some identifiers — names of patients, when they were last treated
at the hospital, their birthdays, where they live and names of their
private physicians. It's often enough information to detect identity
theft. |
| ||||||||
