• buy 
• sell $
• about
• My DOTmed 

The Federal Trade Commission (FTC) is slated begin enforcement of its Identity Theft Red Flags Rule on August 1, 2009. The Rule requires creditors and financial institutions to adopt identity theft prevention programs. The FTC has repeatedly stated that health care professionals are subject to the Rule.

In a letter from the FTC to the American Medical Association, the FTC confirmed that the "plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services," adding that the burden on health care professionals need not be substantial. The FTC is also concerned with medical identity theft, where a patient uses the name or insurance information of another person. Medical identity theft can result in false billing and potentially life-threatening corruption of a patient's medical records.

According to the FTC, after implementation of the Fair and Accurate Credit Transactions Act of 1993, various federal agencies were obligated to jointly develop rules and guidelines for "financial institutions" and "creditors," which are known as "covered entities." In turn, covered entities need to run a risk assessment on their business to determine if they have "covered accounts"--that is, consumer accounts or accounts that are at risk to identity theft. If an entity has such an account, it must develop and implement an Identity Theft Program to identify, detect, and respond to possible risks of identity theft relevant to the accounts. Any such program must detail the intended response once a "red flag" has been detected. This includes refraining from billing a consumer, reporting the incident to a law enforcement agency, and ensuring the information relating to the thief is not co-mingled with that of the victim. The program must also have provisions to keep current.

Although the AMA has continued to protest health care professionals being included in as covered entities, the FTC's response is that professionals who regularly bill their clients, customers, or patients for services after those services are rendered are creditors under the Equal Credit Opportunity Act (ECOA).

John C. Parmigiani, president of John C. Parmigiani and Associates, which offers compliance consulting, spoke to DOTmed regarding the August 1 enforcement date. "Originally scheduled for November 1, 2008, then postponed until May 1, 2009, this latest compliance enforcement date, I believe, resulted from the FTC's seeing that additional time was needed, especially in light of the ARRA signing and, in the case of health care, the emergence of the HITECH* provisions. I believe it is also indicative of the new administration's approach to new regulatory compliance requirements--to ensure a complete understanding and a corresponding developmental activity [that will] be fully ready when the date for compliance enforcement becomes due. The health care industry should be ready by August 1, given some progress that was made toward the May 1 date and the complementary emphasis of HITECH. Furthermore, the FTC has stated, and I believe, that the August 1 date is firm and will not be delayed again."

*(HITECH is the Medicare provision benefiting physicians who adopt Health Information Technology, see DM 9401.

Wayne J. Miller, compliance expert, of the Compliance Law Group in Thousand Oaks, CA, says that efforts continue, to try to get Congress or the FTC to delay implementation further or avoid it completely. "It's possible that relief might be included as part of health reform legislation," Mr. Miller says. "Some physicians or other professionals mistakenly think that HIPAA security rule compliance is enough to comply with the Red Flags Rule. However, the rule extends to information that may not be part of the "protected health information" covered by HIPAA, and it focuses on identifying and preventing identity theft, which is beyond the scope of the privacy law."

Mr. Miller points out the information covered by the Red Flags Rule that is not the main focus of HIPPA includes: credit card information, Social Security or tax ID numbers, and insurance claim identifying information.

The FTC says the particular risk an industry or individual entity may face is correspondent to the scope of its red flag program. "A small medical practice with a well-known, limited patient base might have a lower risk of identity theft, and thus might adopt a more limited Program than a clinic in a large metropolitan setting that sees a high volume of patients," the FTC's letter stated, suggesting that health care practitioners in a low-risk environment might simply check photo identification at the time services are sought.

Why is compliance with the Red Flags Rule important? John Parmigiani says, "In light of the HITECH Act and the regulatory environment, the Red Flags Rule is essential to health care's moving ahead and becoming fully operational in an E-Health environment. Protecting against identity theft/medical identity theft and ensuring data confidentiality, integrity, and availability are critical success factors in the "trust" equation essential to E-Health."

Preparing, in case the enforcement date holds, is important for health care practitioners. "In the brief time before the compliance date (assuming that it is not changed again)," Mr. Miller recommends, "professionals should do a short risk assessment of identity theft risk points, and staff in-service(s) and implement a red flag policy. The most likely focus in a typical doctor's office is the front office staff. The education and policy would detail discrepancies that reception may uncover that should trigger further review and possible reporting to law enforcement and the FTC."

"For example," Mr. Miller continued, "patients showing IDs that don't match their appearance; clients receiving statements or information that does not pertain to them, or patients without identity documentation. The policy should have steps to address such discrepancies which may be similar to HIPAA privacy procedures: investigation, notification and mitigation. Compliance with Red Flag rules by physicians may also extend to financial or status information maintained for staff, particularly if the office provides medical care to employees. Consideration should be given to make sure policies also extend to identifying possible identity theft involving staff information."

The FTC offers a "how-to" guide for businesses on the Rule, available at:
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf and a do-it-yourself kit for low-risk businesses available at: http://ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf

Based in part upon the letter from the FTC to the AMA

Read more on DOTmed.com
Healthcare Chronicles: Are You Ready to Comply With the Red Flags Rule?
http://www.dotmed.com/news/story/8861/