Red Flags Fly, Bad Debt Shrinks
When legislation occurs anyone on the receiving end of it can usually anticipate money going out, not coming in. And at first blush it seemed that the Red Flags Rule would be no different. But there's a sunny side to complying with this Rule, which was supposed to take effect Nov. 1 and was delayed until June 1: There's minimal cost to implementing this rule and the return on this investment could reduce your bad debt.
Nationally hospitals average 5% bad debt or charity, but in these economic times that number is likely growing. One reason that number may be on the upswing is medical identity theft. The Federal Trade Commission estimates that nearly 5% of the nine million Americans who are victims of identity theft will experience some form of medical identity theft, according to their 2007 survey.
That's where the Red Flags Rule comes in. The Rule requires certain businesses and organizations, including hospitals and other healthcare providers, to develop a written program to spot the warning signs — or "red flags" — of identity theft.
"Healthcare providers must develop and implement programs to detect, prevent, and mitigate identity theft and medical fraud," says Randy Berry, CPA, vice president of Columbus Healthcare & Safety Consultant, LLC and author of Red Flag Rule Compliance for Health Care Providers.
This may feel like a HIPAA déjà vu, but it's not.
First the cost of implementing the Red Flag Rules is generally well under $1,000 not $10,000 if training in-house, and depending on the size of the facility it may be in the hundreds, Berry says. That's chump change when you compare it to the hundreds of thousands of dollars it took for most hospitals to comply with HIPAA. Here's a quick look at the potential costs:
- Training — If you delegate an in-house staff member to train your team, you'll lose a few hours of their time but won't add to the overall cost. Alternatively, you can hire a consultant to train your team and that will cost your facility a few thousand dollars.
- Time — There is time lost for your staff to train, estimate 45 minutes or less for this mandatory training to take place.
- Paper — First you need to write the policy and procedure (and get your board to sign off on it) then you'll need to make it available to your staff via hard or electronic copy.
- Fines — If you fail to implement the Red Flags Rule you are subject to fines. There is a Federal fine of $2,500 per occurrence of identity theft, and in many states there is an additional $1,000 per occurrence. Also, be warned that while the FTC may not have the staff to verify compliance with this regulation at all facilities, there's speculation that the federal government my tack this on with other audits.
- Bad Press — This is where the public relations team has an opportunity. Failing to comply with this regulation is a PR nightmare. Bad press about identity theft at a hospital doesn't endear your facility to the community. However, the reverse is also true and a good PR team should consider promoting your efforts to prevent identity theft as a huge benefit to the community.
Second, the two regulations target different areas of patient information. The Red Flags Rule is designed to protect the patients billing and personal information (e.g., social security number and health insurance identification) while the HIPAA regulation focuses on the privacy and security of patient medical records (e.g., diagnosis information and medical history).
But back to your bottom line, where the Red Flags Rule may help hospitals is with medical identity theft and fraud prevention. Medical identity theft is slightly different than Medicare fraud, though they do intertwine. One definition of medical identity theft is when a patient's Medicare/Medicaid insurance information is stolen and another individual uses this information for their treatment. When the victim of the theft goes to use their benefits, they find them exhausted.
Additionally the patient's medical records may be affected, as they may now contain information pertaining to the identity thief. This could result in incorrect treatment or diagnose. Medicare fraud can cover anything from falsifying bills to creating fake patients. For a more comprehensive look at the distinctions in these categories, read "Medical Identity Theft: The Information Crime that Can Kill You".
Aside from the cost both these crimes cause to your patients, the hospital is also left in the financial-lurch. When the insurance company catches the claim by the identity thief, they can refuse to reimburse the hospital. The hospital loses all the dollars associated with that visit and that increases bad debt. If taken seriously and implemented well, the Red Flags Rule should help healthcare organizations screen out more of these fraudulent activities.