Thursday, August 26, 2010

Does ID Theft Weigh-In On Immigration Debate?

by Sue B. Martines J.D. and Michael McCoy M.Sc.

“It’s a black and white issue,” the gal next to me on the plane volunteers, as she peers over at the newspaper article I’m reading about Arizona’s latest immigration law battle. And then it taints my entire train of thought -- is it as simple as that? Is it as simple as saying someone is either lawfully in this country or they’re not? Is it that you either jumped through the justice hoops and got it done or you need to go back from whence you came?

Foregoing the more esoteric consideration, perhaps, about whether borders are indeed a necessity, when identity theft is factored into the immigration debate, how can it ever be black and white? The July 16, 2010 USA Today article discusses how immigration is re-entering the national debate and is back in the spotlight for November’s races. But nowhere is identity theft addressed in the article.

And yet, there are dozens of websites where anyone with $20 and a credit card can buy a fake ID. You gotta wonder upon what document is the “sending one back from whence they came” based?

If an illegal immigrant turns into an identity thief by buying a Social Security number in order to remain in the U.S., and it’s happening at an alarming rate, then is there an additional argument in favor of such laws being looked at in Arizona – where immigration is reviewed with nearly every bust?

A Center for Immigration Studies article cites that approximately 75 percent of working-age illegal aliens use fraudulent Social Security cards to obtain employment. (And that was in 2009.)

Understandably, regardless of which end of the potentially black and white immigration spectrum one stands, there cannot be a laundry list of potential crimes to be evaluated with every charge, but identity theft needs to be factored into the mix somehow. In fact, if identity theft doesn’t weigh-in now, the immigration issues we’re facing may never really get addressed.

Labels: , , , , , ,

Friday, August 20, 2010

The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

by Steven Toporoff
As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe.

Medical identity theft happens when a person seeks health care using someone else’s name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.

The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Is your practice covered by the Red Flags Rule? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft?


Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.


The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point.
If you’re covered by the Rule, your program must:

Identify the kinds of red flags that are relevant to your practice;
Explain your process for detecting them;
Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule — available at — sets out some examples, but here are a few warning signs that may be relevant to health care providers:

Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient.

Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file or from the insurer, fraud could be afoot.

Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.

Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.


Once you’ve identified the red flags that are relevant to your practice, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If you’re notified that an identity thief has run up medical bills using another person’s information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesn’t have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.


Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit

In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at
Questions about the Rule? Email
Steven Toporoff is an attorney with the FTC’s Division of Privacy & Identity Protection.

Labels: ,

Saturday, August 07, 2010

Where’s the Crime in ID Theft?

by Sue Martines J.D. and Michael McCoy M.Sc.

Doesn’t its very name, identity ‘THEFT’ beg for its categorization as a “crime??” And isn’t thieving arguably the quintessential global crime throughout the ages? Our children play at being burglars, and video games , Hollywood, comics and authors profit from images of the classic “bad guy.” It’s just that those images aren’t historically of the stealthy computer whiz in his home abroad bartering online for our health insurance policy data so that it can be re-sold for tens of thousands of dollars!!

Unlike more traditional “theft,” identity theft has a business overlay that often overshadows the criminal nature of the crime!

In a non-empirical study of all news reports in the US on identity theft in the past 30 days, it appears that approximately 47% of all reported newsworthy identity theft stories relate to criminal cases. (See Google’s daily “identity theft” global search).

In other words, instead of just stories relating to how to travel this summer without identity theft risks (see or how to be ready to avoid identity theft when placing a catalogue order, per Heloise (see, or The Chicago Tribune telling you to shred your bills to prevent identity theft (see -- I’m talking about the stories on the two arrested in Maricopa, Arizona for using a stolen credit card at a local drug store (see or The Washington Post story on the security guard now charged with identity theft! (See

Why is it that the juicy stories about crime victims get usurped by the perhaps more mundane shred your receipt ones? And that the burden of the impact of identity theft seems to fall shamelessly upon the victims, consumers and businesses??

In fact, the business overlay is so bold with identity theft that the ever-evolving laws relating to it go more to the duties of business owners than to the culprit! (See the FTC’s Red Flags Rule as one example, requiring targeted businesses to have mitigation plans for identity theft.) Don’t get me wrong, this writer is not advocating for stricter criminal penalties, or some kind of high mandatory minimum sentence for the villainous identity thieves, or even that we should buy a lock and live in a cage – it’s just that current events bear observing.

Perhaps more creative measures are required to nab this newfangled thief. Who knows, maybe smart offensive strategies on the part of consumers and businesses will ultimately even offset the growth of identity theft!

Maybe it’s Pollyanna of me, but I can envision a video strategy game where the chivalrous prince outwits the cunning identity thief’s attempt to invade the castle via the king’s identity… and not just by buying Lifelock.

Follow Michael McCoy at

Labels: , , , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -