Red Flag Rule: privacy concerns at doctors' offices

While at the doctor's a few weeks ago, I was asked to give them my driver's license, they needed to photocopy it.
I showed it to them, but refused to let them take it to copy. It just made me uneasy and their reason sounded pretty flaky: in case we need to send "something" out for testing?
I figured I was just being a CTer.

Yesterday, I went to get my eyes checked. I've been going to the same place for twenty years.
They asked me for my license to copy. When asked, they said it was a new "state" law to prevent identity theft.
I told them I would gladly show it, but they could not copy it.

I don't remember hearing anything about this "new law"
But, after doing some searching, ther is a federal law, from the FTC
www.ftc.gov...
But, it does not say IDs are to be copied or scanned.

If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your practice;
2. Explain your process for detecting them;
3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how you’ll keep your program current.

It seems that doctors were given a reprieve to August 2009 to compy, so plan on being asked for your ID soon.
www.ftc.gov...

How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.

philosecurity.org...

I, for one, have little faith that my doctor's records are all that secure. It's bad enough that they already have copies of my insurance cards, but at least the insurance card longer uses my SS number.
It seems to be there is some risk that my identity could be stolen via doctor and hospital records.
I will continue to refuse this copying/scanning. If necessary, I will seek other providers.

I look forward to seeing others views, experiences and additional research

EDIT: title edited for clarity

[edit on 5-8-2009 by DontTreadOnMe]

Wow, thats pretty harsh. Here in canada all we need to provide is our health care card.... for now......

Showing your ID should be good enough, and there should be no reason to have to copy it other than to save them the time of repeatedly asking you for it.

I don't know of any Doctor's Office, Dentist Office, Physician, or Clinic that does their own Billing. Almost all of them outsource their Billing to 3rd Parties that work out of their private homes.

How secure is it having that data in someone's private home who does the Billing for 15 different Doctor's Offices?

When I used to do IT Consulting on the side (I'm a SysAdmin by day, but after my daughter was born I had to find ways to make more money to start saving up for her college edumacation) Medical Billing Companies were my number one client (with dirt-bag Lawyers coming in a close second wanting me to recover deleted Pr0n from some husband's computer involved in a nasty divorce case). Do you want to know what my daily routine was at these Medical Billing Companies? Removing Spyware & Malware that got installed while their teenage son used their Home Office computers to look at Pr0n or download cracked games to play. All of the "Personal" and "Secure" data was compromised on an almost weekly basis. I can guarantee that none of them reported these system compromises to their clients (the Doctors, Dentists and Clinics they served). None of their clients would have notified their patients of these compromises to their personal data either.

Security isn't a given, even when you are large enough to afford an On-Staff IT Department. I manage 4 Datacenters for my employer, and they exceed the security required for PCI Compliance (required level of security for Secure Merchant Accounts). That keeps the Script-Kiddies out, but it doesn't keep the 1337 H4X0r5 from that data. Out of the tens of thousands of Merchants we host, at least once a month one of them reports being hacked. You can keep the amateurs out, but you can't secure anything from the professionals. The Department of Defense has some of the tightest security available and they get successfully hacked thousands of times a year, and generally but one of those ever thousands ever get caught. Data Security is an illusion, plain and simple.

If it is any consolation, it is Federal Law now that you present your Driver's License when opening a Banking Account, getting an Internet Connection, signing up for any Utilities, or even using Western Union.

And we wonder why Identity Theft is so rampant!

Hmmm.... well I know that healthcare fraud (via identity theft) is huge in my area, probably other parts of the country too, I have only worked in healthcare here. A lot of doctor's offices in and around Chicago require photo id for two reasons. The first is that some people had a habit of providing fake info and skipping out on their bill. The second (I actually feel sorry for) a person would lend their healthcare card to a friend to get treatment. I remember one case, it really made me feel bad, a lady lent her insurance card to a friend (the friend paid the co pays but she did not have the means to pay for medical attention on her own and she had for some reason been denied public assistance). She went into a different clinic and therefore had a different medical record. The insurance company I guess had gotten suspicious (perhaps because of the double duty office visits) in any event they made in inquiry and found the one client had too different blood types, oops. Now, I'm not sure how it worked out financially between the doctor and the insurance company but I do know the insurance agency sued the women for fraud. Given the current economic climate I bet such acts are occuring more and more. Unemployment is not the same as medicaid, and if a person loses their job they are expected to pay for Cobra insurance which is absolutely ridiculous in price. If anyone finds themselves in such a position, fyi, you can buy your own policy (which tend to be expensive even for bare bones coverages). A more economicamical option may be short term insurance most carriers provide it.

Now, yes I would be alarmed if someone wanted to copy my id, but it iss possible that they have been instructed not to tell the patients it is for the purposes of hunting patients down that don't pay their bills. In healthcare, I have never had to photocopy an id (yet) just ask for it to ensure proper identity. The only place I have ever had to physically copy it was 7 years ago working retail in college. When we did credit card apps we HAD to have a photocopy of the id for fraud,and that was required of us or we could not process the application.

My concern with any copy is that a lot of id theft comes from workers taking the copies and opening credit cards and such, which is my main concern. Realistically,the person taking the copy is low man on the totum poll and therefore has the most motive to try and take it.

I guess I don't have larceny in my heart, I never thought of someone giving their healthcare card to another.

Another thing, I am hoping someone can enlighten me as to how the FTC is overseeing what happens in doctor's offices?
I thought another Federal agency was over identity theft.

Originally posted by DontTreadOnMe
Another thing, I am hoping someone can enlighten me as to how the FTC is overseeing what happens in doctor's offices?
I thought another Federal agency was over identity theft.

The Federal Trade Commission oversees all issues that touch the economic life of every American. It is the only federal agency with both Consumer Protection and Competition Jurisdiction in broad sectors of the economy.

The part that brings the FTC into this matter of Red Flag Rules is indeed Fraud. As they ensure Consumer Protection, part of their Mission involves fighting and eliminating Fraud.

However, there is a distinction between requiring those companies that fall under Red Flag Rules to showing your Identification and requiring the copying/scanning your Identification. The first is common sense and not really an invasion of Civil Liberties or Privacy, assuming that "Identification" is not limited to only a valid Driver's License. However, requiring the copying/scanning of your Identification starts becoming invasive, not to mention burdensome on these business that must comply with the Red Flag Rules as now they must concern themselves with Data Retention and Data Security.

I honestly think you did the appropriate thing showing your Identification and not allowing for it to be copied.

I manage 5 doctor Internal Medicine practice in San Francisco, the Red Flag Rule implementation date was pushed back to November 1, 2009. We are already in compliance with the rule and the majority of our patients do not like it. They think its just one more hassle you have to go through at the doctors office, it slows down our front desk and makes check-in all that much more cumbersome.

Many physicians & practice managers are totally opposed to the Red Flag rule. The rule applies to all "creditors" since physicians bill you for any balance that your insurance doesnt pay they got lumped into the "creditor" group. The AMA is currently trying to get an exception for physicians, I don't know how much luck they will have though.

All that being said, the red flag rule says nothing about copying your ID, we only have to make an attempt to VERIFY your indentity, not keep it on file.

Originally posted by AllInMyHead
All that being said, the red flag rule says nothing about copying your ID, we only have to make an attempt to VERIFY your indentity, not keep it on file.

I appreciate your input, especially because you directly administer the Rule.

Now that I know that showing is all that is required, I find it more than odd that two separate offices, one a small practice, the other quite large, both wanted to copy/scan my ID.
Also, that neither were totally upfront with the reasons.


@ fraterormus

Thanks for the FTC clarification.
I think part of my brain thought it should be the FCC--although the other part knew FCC was for Communication, not Commerce *blush*

reply to post by DontTreadOnMe


I would imagine the reason that they want your drivers license is so that if you default on payment they can give that to their collection agency so they can find you. With so many people losing their benefit right now we are seeing TONS of people trying to get in with insurance cards that are now expired. Some patients even get very upset when we tell them that we have called their insurance and were given notice that their plan has terminated. We try to give these patients a discount but legally we cannot discount their charges below what our insurance contracts allow. Its really very sad. I am disliking being in "healthcare" every day, they should call it "InsuranceCare" because their interest usually come first in the long run. You would be amazed at how much insurance plans dictate what care you get, right down to the type of medication you take, even if better alternatives are available. Its really gotten way out of hand in my opinion. (You should always make a point of asking your physician whats the BEST route my care should take, not what will my insurance pay for. You may not be able to afford it but at least you would be informed and can fight with your insurance company)

Sorry, didnt mean to get off topic..I just deal with this stuff all day and it kinda gets to me!