Reprint from: Home Care Automation Report
Issue date: 2009-08-12 Article category: Regulatory
Red Flag Rules enforcement date extended--again
Once again, the Federal Trade Commission (FTC) has extended the deadline for enforcement of the Red Flags Rule, which requires creditors--including some health care organizations--and financial institutions to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. Watch Robert W. Markette, Jr.'s program
about the Red Flags Rule on the Home Care Information Network.
The original Red Flags Rule enforcement date was November 1, 2008. The American Medical Association (AMA), the Medical Group Management Association and other state and specialty medical societies, pushed back, stating the healthcare industry was taken by surprise to be included in these regulations. The FTC extended the enforcement date until May 1, 2009 to allow more time for organizations to prepare. At that time, a spokesperson from the FTC said the agency had no plans to extend the deadline again.
On April 30, 2009, the FTC announced another three-month delay to August 1 to give organizations more time to develop and implement written identity theft prevention programs. It also released a template to help small businesses comply with the law (Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft
Now, for the third time, on July 30, the FTC announced it was delaying enforcement until November 1, 2009.
Red Flag Rules apply to healthcare providers
Many healthcare providers fall into one or both of the two categories of qualifying businesses covered under the Red Flags Rule, which are based on billing (creditor) and payment procedures (covered accounts).
A creditor is an organization that bills patients after performing services and allows patients to set up payment plans or helps patients obtain credit from other sources. A covered account is a consumer account that permits multiple payments or transactions, or an account, such as a patient account, for which you can reasonably foresee the potential risk of identity theft.
This excerpt from the FTC's February 4 response to the AMA's challenge of the applicability of the rule to health care organizations explains its view:
The Red Flags Rule is intended to address all forms of identity theft, including those involving the provision of health care. Although identity theft most commonly is associated with financial transactions, there are increasing concerns about identity fraud in the context of medical care. Medical identity theft can surface when a patient seeks care using the name or insurance information of another person, which can result in both false billing and the potentially life-threatening corruption of a patient's medical records.
A nationwide survey conducted for the FTC found that 4.5% of the 8.3 million victims of identity theft had experienced some form of medical identity theft, including the fraudulent use of their health insurance to obtain medical care or to obtain health insurance in their name.8 The incidence of medical identity theft may be increasing. The Department of Health and Human Services held a Town Hall meeting on October 15, 2008, to explore further the problem of medical identity theft and how it should be addressed in a health information technology environment.
You can read the FTC's full response to the AMA here.
Overview of the Red Flags Rule program
- Identify relevant warning signs of potential identity theft. Such red flags may include suspicious documents or billing activity, or notices from law enforcement authorities.
- Establish policies and procedures to detect red flags in day-to-day operations. These may include verifying a patient's identity and insurance information, or reviewing medical records for discrepancies. Implementing the process requires senior management approval and appropriate staff training.
- Prevent and respond to incidents of identity theft or suspected fraud. This might entail changing account numbers or contacting an insurance carrier to deter the misuse of stolen information. The response also may include notifying the patient of any potential fraud.
- Update the program periodically to help identify and respond to new risks.
The AMA has drafted a sample Red Flags Rule Compliance Policy.
Fighting Fraud With the Red Flags: Rule A How-To Guide for Business
General FTC identity fraud site