February 2009 Newsletter
FTC’s Red Flag Rules Apply to Most Health Care Providers
The Federal Trade Commission (FTC) issued regulations known as the Red Flag Rules, requiring “creditors” to establish and enforce written identity theft prevention programs, as part of the Fair and Accurate Transaction (FACT) Act of 2003. Originally, the programs were to be in place by November 1, 2008, but the deadline was extended until May 2009 because many entities, including health care practices, were unaware of its existence. The Federal Trade Commission announced a second delay on Friday, May 1, 2009, for compliance. The delay is for three months, with compliance now scheduled for August 1, 2009.
The Red Flag Rules apply to financial institutions and creditors. The FTC announced that “Health care providers are creditors if they bill consumers after their services are completed. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees.” In order to be a creditor, a provider has to regularly accept deferred payment for services. The AMA has challenged the FTC, stating that the rule should not apply to physicians, but the association doesn’t know when it might get a response from the FTC.
The rule requires that a creditor develop a written identity theft program that contains reasonable policies and procedures to detect, prevent and mitigate identity theft. The regulations set forth guidelines for the establishment of an identity theft prevention program and a supplement identifying the relevant warning signs, or red flags, of identity theft that should be incorporated into the program.
The World Privacy Forum has issued Suggestions for Health Care Providers, which outlines provider obligations and best practices, including procedures for addressing:
- A complaint or question from a patient based on the patient’s receipt of a bill for another individual, a bill for a service that the patient denies receiving, a bill from a provider that the patient has never seen, or an insurance EOB for services never received.
- Records showing medical treatment that is inconsistent with a physical exam or with a medical history as reported by the patient.
- A dispute of a bill by a patient who claims to be a victim of any type of identity theft.
- A patient who has an insurance number but never produces an insurance card.
The basic organizational requirements mandate that the program must include reasonable policies and procedures to:
- Identify relevant Red Flags for the accounts that the provider offers or maintains and incorporate those Red Flags into its program;
- Detect Red Flags that have been incorporated into its program;
- Respond appropriately to any Red Flags that are detected;
- Update the program periodically to reflect changes in risks from identity theft to patients.
There are also four elements to the administration of the program, including:
- Obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors;
- Involve the board of directors or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program;
- Train staff, as necessary, to effectively implement the program;
- Exercise appropriate and effective oversight of service provider arrangements.