Sample Program for Compliance with “Red Flag Rules” Regarding Identity Theft

The following Identify Theft policies are hereby adopted by the [insert name or title of key decision makers, for example, management, Board of Directors] of [insert the name of your practice] (the Practice):

In this program, “Staff” refers to the Practice’s workforce members (including non-paid staff such as interns and volunteers) who are not psychologists or mental health professionals (Practitioners). However, if the Practice only has Practitioners, they will perform the Staff duties in Section A.

A. Staff will ask patients to provide identification at the first session

Staff will request documentation of identity and make copies of the documentation provided:

  • Driver’s license, passport or other government issued photo ID. 

  • If the photo ID does not have the current address, Staff will request a utility bill, lease or other evidence of current address. 

  • Current insurance, Medicare or Medicaid card (for patients relying on such reimbursement).

Staff will verify that the ID photo looks like the patient and that other descriptions in the ID, like height and weight, appear to be correct. 

Copies of this information shall be kept in the patient’s file or in another secure

B. Practitioners and Staff shall be alert to and act on evidence of fraud

Staff shall be alert to suspicious activity such as: 

  • Identification documents that appear altered or forged 

  • Information provided by client is inconsistent e.g., information on one form of identification submitted is different from information on another form of identification (such as age, address, occupation) 

  • Suspicious change of address notice (for example a move from an expensive to an inexpensive neighborhood) 

  • Evidence that your paper or electronic records may have been compromised, for example, you discover that a Staff member accessed patient files without authorization, or that locked patient files have been broken into.

Staff shall act upon suspicious activities or evidence of identity theft as appropriate by: 

  • Checking with other members of the Practice regarding suspicious events, for example, if Staff receives a suspicious change of address notice (see B1c.), Staff will ask the practitioner treating that patient to consider whether such a change is consistent with information the patient has reported in psychotherapy. 

  • Contacting the patient to verify suspicious information 

  • If there is still a suspicion of identify theft after taking the verification steps above, contacting
    local law enforcement after obtaining patient permission. 

  • Changing passwords on electronic record accounts that may have been compromised 

  • Notifying patients where it appears that they may have been victims of identity theft.

C. The Practice will respond to reports of identity theft

The Practice will respond to reports of actual or suspected identity theft by patients, law enforcement, and others as appropriate, including by identifying the situations listed in B2.

D. The Practice will ensure that staff and Practitioners are trained on implementing the policies

Staff and Practitioners will be trained in the implementation of these policies.

Staff and Practitioners will be given a copy of this policy to read and initial.

E. The Practice will have business associates sign Red Flag Agreements

The Practice will determine whether it has business associates who handle patient information, e.g., billing services, collection agencies, accountants. It will ask those business associates to do one of the following:

  • Sign an addendum to the business associates contract that the Practice already has in place with that company as part of HIPAA Privacy Rule/Security Rule compliance; or if no business associates contract is in place,

  • Sign a standalone agreement, or 

  • Provide a copy of its own Red Flags Program and state that such Program meets the requirements of the Red Flags Rules.

F. The Practice will re-evaluate these policies periodically

The Practice will annually re-evaluate whether these policies are effective and appropriate for detecting and preventing identity theft in light of the Practice’s actual experience with actual or suspected identity theft and in light of any new information learned by the Practice regarding identity theft risks.

PLEASE NOTE: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single document. In addition, laws change over time and vary by jurisdiction. The information in this document should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.