When legislation occurs anyone on the receiving end of it can usually anticipate money going out, not coming in. And at first blush it seemed that the Red Flags Rule would be no different. But there's a sunny side to complying with this Rule, which was supposed to take effect Nov. 1 and was delayed until June 1: There's minimal cost to implementing this rule and the return on this investment could reduce your bad debt.
Nationally hospitals average 5% bad debt or charity, but in these economic times that number is likely growing. One reason that number may be on the upswing is medical identity theft. The Federal Trade Commission estimates that nearly 5% of the nine million Americans who are victims of identity theft will experience some form of medical identity theft, according to their 2007 survey.
That's where the Red Flags Rule comes in. The Rule requires certain businesses and organizations, including hospitals and other healthcare providers, to develop a written program to spot the warning signs — or "red flags" — of identity theft.
"Healthcare providers must develop and implement programs to detect, prevent, and mitigate identity theft and medical fraud," says Randy Berry, CPA, vice president of Columbus Healthcare & Safety Consultant, LLC and author of Red Flag Rule Compliance for Health Care Providers.
This may feel like a HIPAA déjà vu, but it's not.
First the cost of implementing the Red Flag Rules is generally well under $1,000 not $10,000 if training in-house, and depending on the size of the facility it may be in the hundreds, Berry says. That's chump change when you compare it to the hundreds of thousands of dollars it took for most hospitals to comply with HIPAA. Here's a quick look at the potential costs:
- Training — If you delegate an in-house staff member to train your team, you'll lose a few hours of their time but won't add to the overall cost. Alternatively, you can hire a consultant to train your team and that will cost your facility a few thousand dollars.
- Time — There is time lost for your staff to train, estimate 45 minutes or less for this mandatory training to take place.
- Paper — First you need to write the policy and procedure (and get your board to sign off on it) then you'll need to make it available to your staff via hard or electronic copy.
- Fines — If you fail to implement the Red Flags Rule you are subject to fines. There is a Federal fine of $2,500 per occurrence of identity theft, and in many states there is an additional $1,000 per occurrence. Also, be warned that while the FTC may not have the staff to verify compliance with this regulation at all facilities, there's speculation that the federal government my tack this on with other audits.
- Bad Press — This is where the public relations team has an opportunity. Failing to comply with this regulation is a PR nightmare. Bad press about identity theft at a hospital doesn't endear your facility to the community. However, the reverse is also true and a good PR team should consider promoting your efforts to prevent identity theft as a huge benefit to the community.
Second, the two regulations target different areas of patient information. The Red Flags Rule is designed to protect the patients billing and personal information (e.g., social security number and health insurance identification) while the HIPAA regulation focuses on the privacy and security of patient medical records (e.g., diagnosis information and medical history).
But back to your bottom line, where the Red Flags Rule may help hospitals is with medical identity theft and fraud prevention. Medical identity theft is slightly different than Medicare fraud, though they do intertwine. One definition of medical identity theft is when a patient's Medicare/Medicaid insurance information is stolen and another individual uses this information for their treatment. When the victim of the theft goes to use their benefits, they find them exhausted.
Additionally the patient's medical records may be affected, as they may now contain information pertaining to the identity thief. This could result in incorrect treatment or diagnose. Medicare fraud can cover anything from falsifying bills to creating fake patients. For a more comprehensive look at the distinctions in these categories, read "Medical Identity Theft: The Information Crime that Can Kill You".
Aside from the cost both these crimes cause to your patients, the hospital is also left in the financial-lurch. When the insurance company catches the claim by the identity thief, they can refuse to reimburse the hospital. The hospital loses all the dollars associated with that visit and that increases bad debt. If taken seriously and implemented well, the Red Flags Rule should help healthcare organizations screen out more of these fraudulent activities.
Consider this; Berry recounts a story of one facility he worked with in which a patient presented in need of a gall bladder operation. Unbeknownst to the facility, the patient provided them with her sister's Medicare card to have the procedure done. In this instance, an astute physician happened to recognize the name of the patient as an individual that he had already operated on for the same procedure. So, the facility was able to catch the fraud prior to performing the surgery. However, had the physician not recognized the name, the facility would've been left footing the bill when Medicare rejected the claim. The physician saved the day by luck, but with the Red Flags Rule the patient may have been screened before things made it that far.
"It's critical if you are billing through Medicare and Medicaid that you are doing your due diligence," says Berry. Perhaps the simplest way of heading off potential losses (of identity and profits) is to ask for a driver's license when the patient provides their insurance card — and photocopy both cards for your files.
"When an identity has been stolen and that individual has obtained medical care that comes at a cost to the patient and the healthcare provider. Asking for a driver's license is an easy thing to do," Berry adds.
The areas to concentrate your Red Flag Rule training on are the billing and admissions departments. Seemingly simple information requests may actually be the ones that cause problems, such as a change of address request. Hospital bills and insurance information are diverted to the fraudulent patient, leaving the victim of identity theft unaware that anything is taking place. When a change is made, facilities could also send a letter to the previous address announcing the change. A few minor tweaks in the regular processes can add up to cost savings over time. Additionally, after completing the training, staying in compliance with the rules should only add a few extra minutes of per day to your team's plate.
Unfortunately there are no hard numbers as to how much financial loss this Rule may prevent for hospitals, but if you put the Red Flags Rule into action and your hospital decreases the number of rejected and unpaid claims, you will most assuredly see a dip in your bad debt. Don't wait for the legislation to formally take effect before you take action; your hospital only stands to gain ground (and money) by implementing these preventative measures as soon as possible.
Note: You can sign up to receive HealthLeaders Media Finance, a free weekly e-newsletter that reports on the top finance issues facing healthcare leaders.