Red Flag Rule

[Leonidas]

So late last year my physician, along with a number of other doctors, split away from the group he was practicing with and joined a new group in a different office building with different staff. The local newspaper hinted at some "financial impropriety" as the reason why the original practice group dissolved. I visited him at his new digs yesterday for the first time in a long time.

The staff at his new office seem to be less than competent, and some border on being rude. But that is a topic for another day.

In any event, my records did not make the transition from the old practice to the new and I was classified as a new patient. Which meant filling out 10 different forms that were worthless for the most part, repetitive, and poorly designed.

It also meant that not only did they want to look at my insurance card, but they wanted to scan my driver's license. I questioned that.

The twenty-something twit receptionist claimed that it was required, and when I asked why, she seemed a little shocked that anyone would question her legal authority to make a copy of someone's identification. Finally she claimed that HIPAA II required it. Now, when someone tells me that I am being forced to do something because it is required by law, I usually go off and verify that information. When I asked if that specific requirement was actually in the law, she said, "the billing people told me that we will refuse treatment to anyone who doesn't comply."

Verifying my identification is a good thing, especially when my insurance billing and medical records are involved. Maintaining a copy of my identification in the same system that has my social security number, tons of biometric information, and my medical records, and my credit card information, seems like a recipe for identity theft.

I have friends and neighbors who are physicians, dentist, etc., and professionally I've encountered plenty of doctors as victims, witnesses and defendants. Very knowledgeable about medicine, but outside of that it's a very mixed bag. One of favorite illustrative examples is something I heard an SEC guy say once about investment scams, "if there are two or more doctors invested, it is almost certainly a scam." Or my former neighbor, the head of pediatric care at a major hospital, whose home repair adventures are the stuff of legend. It was SOP in my house to keep a phone handy to call 911 whenever we saw him with power tools or a ladder.

So what does my doctor know about keeping my information secure?

The thought of all my information, plus a copy of my DL, floating around on some computer system whose security is a complete unknown makes me a little nervous. Not knowing if my doctor, or his staff, have a clue about data security, identity theft, information compartmentalization, how to patch that old version of Vista (or XP or whatever), or if the system is accessible from the outside, etc., all make me real nervous about my info.

A little research this morning seems to indicate that this is not covered by HIPAA, but by the Red Flags Rule of the FTC's Fair and Accurate Credit Transactions Act of 2003 (http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf) Apparently medical practices are now considered credit institutions and are required to take steps check the identification of customers. Nothing I can find says that they are required (or allowed) to make copies of patient's driver's licenses.

The AMA, which fought to keep doctors out from under this regulation, has a model policy that doctor's can use in their practices. It provides for checking a patient's identification and comparing the photo to the person, but absolutely nothing about maintaining a database of DL copies.

What are your thoughts on this?

 

[haha]

What are your thoughts on this?

My thoughts are similar to yours. However, many medical offices are about the most arrogant, non-consumer oriented places in the world, and to resist their demands is a recipe for having oneself red-flagged as a malcontent. And since they have the power to not only dislike you, but also write their feelings in your chart as if they were reality, it's not a huge jump from malcontent to something or other they might discover out of DSM-IV, or whatever the current fairy tale version is. "Chronic non-compliance disorder, complicated by hostility, social distrust and borderline paranoia. Oh yeah, "and with prominent elements of affective instability".

As far as identity theft is concerned, wait until you get your Medicare Card, which you must carry to have any hope of getting emergency treatment. Right on the front is your SSN. Bills to fix this obvious flaw have died in congress. Ever time you seek treatment they copy your card and it is sitting right there in your folder, available to the same high class office staff who steal drugs and gossip with their friends about who had the clap, etc, and date lowriders who recently lost their jobs at the foundry.

Eff you senior, and eff the horse you rode in on!

Ha

 

[BigNick]

And since they have the power to not only dislike you, but also diagnose you, it's not a huge jump from malcontent to something or other they might discover out of DSM-IV, or whatever the current fairy tale version is.

Yes... or remotely-diagnosed prostate trouble requiring weekly palpations. (The female equivalent would be what an emergency room paramedic of my acquaintance learned from the doctors to call a TUBE, standing for "Totally Unnecessary Breast Exam")

 

[jIMOh]

you expected the medical industry to be customer friendly

any comment after that requires me to get off the floor and stop laughing

thx for the info on what is required
but your expectations for medical industry to be customer friendly or knowledgeable is LOL funny ROFL funny and peeing my pants funny LOL

 

[FUEGO]

Tell em you've been on a health kick lately and surrendered your license. Ask em if they want to photocopy your size twelve boot since that is how you get around these days.

 

[W2R]

What are your thoughts on this?

My thoughts are that this is a common practice for new patients. At least, my doctor's staff xeroxed my driver's license and insurance card back in 2002 when I first started going to him. It only seems reasonable, with health insurance being such a HUGE expense, for doctors' offices to be able to provide proof of patient identity to insurance companies upon demand. This has never bothered me.

Now they just ask "Do you have the same insurance?" They don't even want to see my insurance card again, much less my driver's license. My doctor's office has had a steady stream of incompetent, nearly illiterate receptionists over the years but there hasn't been any problem.

 

[Leonidas]

but your expectations for medical industry to be customer friendly or knowledgeable is LOL funny ROFL funny and peeing my pants funny LOL

I appreciate all the love you're throwing my way.

So, I called the FTC and that was a waste of time. They offer nothing that is not in the public record that I already read in the Federal Register. They referred me to the State Attorney General, which I know is a waste of time to even bother with.

I called my congress critter and am waiting on a privacy release form (HIPAA required, no doubt). My intention is to go forward with that, to at least make contact with his office and bring the issue forward.

But I hold out no hope for anything being resolved. This issue is huge, and it's not just the doctor's office.

I called someone in the financial fraud division at my old employer and got the scoop. In a word, from the pros - we're all "f***ed".

"The FTC screwed us all on this one. There is almost no financial transaction you can get involved in, short of buying a burger with cash, in which you aren't going to be required to surrender all kinds of information that exposes you to identity theft. Go to the doctor, rent an apartment, buy a car, etc., and you're going to get your DL scanned and your social security card as well. You know, the one that says "not to be used for identification purposes". Hell, I went with my wife the other day when she was buying a car in her name and using just her credit, and they wanted to copy my DL."

I really want to know how a rule that says identification must be checked turns into a policy of keeping copies of identification documents.

If it's allowed under the law, then thanks to the government I might as well just paint my DL and SS number on the front door of my house.

The dude at the PD said that they get people in every day with stolen identities who want to know how the crooks got their SSNs. "Do you go to the doctor?", is the first question they ask.

I guess it's time to just freeze my credit, or maybe look at some of the private companies that offer alert services. I remember the head of the financial fraud unit gave a presentation a few years ago and was a little shocked when he said it is no longer a question of if you're identity will be stolen, but when. And yes, he had his stolen.

 

[MichaelB]

What are your thoughts on this?

Fully agree. A physicians office, full of paper files and MS based computer programs, cannot even determine who accesses files, much less protect personal identification. When I visit a physician's or dentist's office I do not plan to return to I just do not give license or SS# - especially if paying cash. With checkbook in hand I have not been challenged. Even with insurance card I have not had too much challenge here.

OTOH, I check my credit records quarterly and monitor my financial accounts closely. There is no way to control exposure, one must be very proactive in monitoring and protecting one's own identity risk.

Also agree with Señor Ha.

 

[Rich_by_the_Bay]

Tough times for doctors' offices, sounds like.

But we sure have double standards -- few of us hesitate to give our credit card to a 19 y.o server in restaurant, who is free to walk away with it, and return 10 minutes later. Or to give your address to the kid at Radio Shack every time you buy a battery. Or store our most vital financial information online not only with financial instiitutions, but also with Amazon, eBay, etc. Many credit cards now have photo IDs, too. Heck, if you get stopped by someone who claims to be a LEO wouldn't you have a right to verify that with a photo ID badge?

While I don't like it, how is having our drivers license copied in a medical office (or other legitimate professional office) any worse?

 

[Sarah in SC]

"Chronic non-compliance disorder, complicated by hostility, social distrust and borderline paranoia. Oh yeah, "and with prominent elements of affective instability".
Ha

Ha, you say this as if it is a bad thing to have in your chart?

 

[WhoDaresWins]

I have gone to the same PCP group for 17 years, and they have never photocopied my driver's license. Periodically they ask if my insurance has changed, and they update HIPAA, including to whom they can reveal information contained in my medical record( my son and two girlfriends from work... reminds me I will have to delete one, she moved to AL). My group is owned by UPMC and is very large. They keep after me at every visit to create an electronic record which I can access for lab results, contact the physician by e-mail, get reminders for tests, etc. but I have been reluctant to do so. The next thing you know, this will take the place of an office visit IMHO. They seem to have long-time staff in the office. The medical assistants and front desk are friendly and frequently inquire about my son, tell me they remember my husband fondly. One of their offices is designated as an urgent care center for access by walk-in patients 7 days a week. I haven't been there yet.

 

[Leonidas]

While I don't like it, how is having our drivers license copied in a medical office (or other legitimate professional office) any worse?

Very good question.

It opens up a whole new universe of theft opportunities, and vastly complicates victims' ability to untangle the situation.

In some instances of identity theft the evil-doer actually goes to the drivers license office and gets a new DL in the name of their intended victim. Then they go out and start buying stuff, getting credit or passing hot checks, using the DL as their passport. If, or when, they get caught the case is easy to make because the photo on the DL is them and not the victim. Or, at the very least, the victim has a decent shot of clearing any criminal charges against them by being able to prove their identity was stolen and a fraudulently obtained DL was used to commit the crime.

Consider Mary the receptionist at Dr. Bob's office. Mary has a substance abuse problem, that old devil Methamphetamine has got hold of her and the financial obligation to her dealer far outweighs the pittance she makes from keyboard and telephoning down where Bob has his shingle hung out.

All Mary needs is someone at another "credit" institution to work with her and they can use all of the information in Dr. Bob's patient database to create fraudulent transactions that are going to be very difficult to disprove. "See, Leonidas did buy that car/open a credit account/rent this post office box/rent this car and we even have a scan of his DL to prove it."

That scanned DL is just another digital file that can be copied over and over and still look the same as any other scan that you gave for a legitimate purpose. How many scanned DLs and SSN numbers can Mary fit onto a CD when she "backs up the database"?

People get arrested all the time for financial crimes they did not commit because their identity was stolen. If you can prove that your information was stolen because that ain't you pictured on that replacement DL in someone's file, then at least you can beat the conviction - even if you didn't beat the ride to jail. But with digital copies of DLs floating around at doctor's offices, car dealerships, and apartment management offices, how do you claim it wasn't you when some place produces a copy of your DL with your picture on it? Have fun explaining that one in court.

Edit to add: I've put people in prison for life with scraps of paper used as evidence against them. I've also got myself out of some potential major legal hassles once with some documentary evidence that proved I could not have been anywhere even close to where something wrong went down. Cops, prosecutors, judges and juries put a lot of faith in physical evidence such as documents.

 

[Rich_by_the_Bay]

Consider Mary the receptionist at Dr. Bob's office. Mary has a substance abuse problem, that old devil Methamphetamine has got hold of her and the financial obligation to her dealer far outweighs the pittance she makes from keyboard and telephoning down where Bob has his shingle hung out.

Yes, it is a problem. Of course said suspect Mary could just as well have been the receptionist at Dewey Cheatham and Howe Legal Services, or Sparky the waiter at Chez Larceny, or the teller at the bank, or an anonymous customer service worker at Amazon or Vanguard, or even the guy who trolls through your mailbox or garbage looking for credit card receipts.

I wonder if this is a health care issue or a larger societal/technological "big brother" issue.

An aside... in general I think the larger health groups like Kaiser and other industrial strength clinics tend to have their policies and procedures in better shape than the local corner doctor's offices. They may be more impersonal sometimes but the bookkeeping is more streamlined.

 

[Leonidas]

Yes, it is a problem. Of course said suspect Mary could just as well have been the receptionist at Dewey Cheatham and Howe Legal Services, or Sparky the waiter at Chez Larceny, or the teller at the bank, or an anonymous customer service worker at Amazon or Vanguard, or even the guy who trolls through your mailbox or garbage looking for credit card receipts.

I wonder if this is a health care issue or a larger societal/technological "big brother" issue.

After digging into it I find that it is more than a health care issue. But I don't have give to Amazon, or the waitress a copy of my driver's license. Nor am I compelled to do business with them.

But, when your doctor misapplies the law, and exceeds the law's requirements and puts you at risk of identity theft, it is a problem. Especially if he refuses to treat you if you won't comply. I'm not forced to go to the doctor, but if I want to stay healthy I am compelled to seek care.

Edit to add: Rich, you are right that we are exposed to the risk of identity theft in many places and many ways. I understand why you would feel the need to defend the medical industry by pointing out the other possibilities. But does that mean the medical industry gets a free pass, because every one else is doing it?

Here's a nice story about medical workers stealing $300,000 in merchandise using patients' stolen information. They did it the old-fashioned way, they went through the paper records.

http://cbs2chicago.com/local/identity.theft.ring.2.1589013.html

If Dr. Bob can't keep a file cabinet secure, what hope is there he can keep digital copies of my identification document secure?

 

[IndependentlyPoor]

I don't mind so much them keeping a photocopy of my insurance card and DL, but a scan stored in a computer worries me. However, my SSN is sittling in their (probably insecure) computer system, so i'm screwed anyway.

Don't get me started on doctors' office staff and billing practices.

I just try to keep my dealing with the business side completely separate from he medical side. I never complain to my doctor no matter how awful the office staff is. I want him to concentrate on my health. As for the office manager, I don't really care if she thinks I am a problem client or not.

 

[Rich_by_the_Bay]

Edit to add: Rich, you are right that we are exposed to the risk of identity theft in many places and many ways. I understand why you would feel the need to defend the medical industry by pointing out the other possibilities. But does that mean the medical industry gets a free pass, because every one else is doing it?

Nah, no free ride for medicos, or cops, or any other line of work where personal information is on the line. So far, I have had only rare but good experience with law enforcement - two lifetime "performance awards" both well-deserved and neither one asked to scan my license .

Let's face it: neither cops nor docs are exactly immune from strong public opinion. - maybe that's why it gets such a rise out of people when something is poorly handled in a "high profile" setting.

 

[MichaelB]

But we sure have double standards -- few of us hesitate to give our credit card to a 19 y.o server in restaurant, who is free to walk away with it, and return 10 minutes later. Or to give your address to the kid at Radio Shack every time you buy a battery. Or store our most vital financial information online not only with financial instiitutions, but also with Amazon, eBay, etc. Many credit cards now have photo IDs, too. Heck, if you get stopped by someone who claims to be a LEO wouldn't you have a right to verify that with a photo ID badge?

While I don't like it, how is having our drivers license copied in a medical office (or other legitimate professional office) any worse?

Rich, I beg to differ. It is not a double standard. It is not like giving credit card info, because the cards are subject to federal regulation as well as issuer T&C’s to the merchant. The point is providing two components of personal information, enough to enable identity theft, to a business that has no direct need for one (DMV identification) and may not have or use the tools and processes to protect the info from unauthorized access or use.

I suspect drivers license is requested to enable collection of unpaid obligations.

 

[Nords]

What are your thoughts on this?

Sounds like it's time to shop for a doctor where you're treated better.

If the doctor lets the staff treat you that way then it's hard to believe they have your best interests at heart. If the doctor doesn't know that you're being treated that way then it's hard to believe that they're competent.

Our kid's old dermatologist (voted "Best on Oahu", and a favorite of hers) retired about a year ago and sold the practice to a couple of younger docs. One of them just sent us a bill for unpaid copays. Our kid has had a memory lapse or two in the past on this, so I was willing to believe the staff's records... until I checked our records.

So I sent their invoice back with copies of our receipts and apologized to my kid. She said that she thought the new doc hadn't been listening to her anyway and had already decided it was time to try somewhere else. It's been over a week since I sent off my letter-- no response from them, let alone an apology. Apparently they don't give a crap either.

 

[haha]

OK, I'm convinced. And I don't mind spending a bit of money to get much better security.

What are good ways? My state is one tha tfavors the credit industry over the consumer, so I cannot freeze my credit without once being vistimized.

What should one consider?

Ha

 

[Rich_by_the_Bay]

My state is one that favors the credit industry over the consumer, so I cannot freeze my credit without once being vistimized.

Can you explain a bit what you mean, Ha?

 

[LOL!]

I had to renew my driver license. Heaven forbid, but they needed to see my actual social security card which no one has seen since I was age 14 and locked it away. Not only that, they wanted to take a photo of me. I was incensed. What is the government doing meddling in my private life and especially my identity?

 

[Rustward]

FWIW I just looked at my SS card, which is a replacement card that is at least 40 years old. Judging from the penmanship on the signature I would guess I signed it in 1970 or so. Have no recollection of why I might have needed to get a replacement. It is just a form on which the ss number and my name have been typed (anybody remember typewriters?)

Across the bottom of the card it says "FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION". So many entities use the ss number for identification, though. Guess something went wrong.

 

[haha]

Can you explain a bit what you mean, Ha?

Rich, I am so glad you asked that question. When I went to the Washington website to clarify my thoughts, I saw that I either was wrong all along, or the law has been changed. Now, only to get a free freeze must one prove ID theft. Also, those => age 65 one can get a free freeze from all the credit bureaus without proving victimization.
Security Freeze Procedures

I don't suppose this would do much to protect fromt the DL problems that Leonidas mentions though.


Ha

 

[Linney]

Rich, I am so glad you asked that question. When I went to the Washington website to clarify my thoughts, I saw that I either was wrong all along, or the law has been changed. Now, only to get a free freeze must one prove ID theft.

Ha,

You aren't mistaken -- the law has indeed been changing in Washington State. In 2005 you had to show actual damage (theft, or personal data stolen) to get a freeze on your credit reports. My husband and I were victims of identify theft before 2005 and debated what to do should we become "eligible" for a credit freeze under the new 2005 laws.

See this 2005 announcement extolling this improvement: Credit Report Security Freeze Can Help Identity Theft Victims. Further improvements which you described in your email were enacted in subsequent years (2008 I think).

--Linney

 

[Emeritus]

When asked at a physician's office for a copy of my ID I always ask for a photo copy of the Physician's medical and drivers license for my malpractice files

Solves a lot of problems