The Basics on the Red Flag Rules - Update for Health Care Providers, by Cheryl Coon
Thursday, October 01, 2009
(This article was originally published in the October 2009 edition of Tarrant County Physician. It is being republished with permission). Copyright 2009 by Cheryl Coon.
Medical identity thieves can create havoc for consumers and businesses. They use people’s personal identifying information to open new accounts and misuse existing accounts. The FTC indicates that 4.5 percent of the 8.3 million identity theft victims involve some form of medical identity theft, such as use of someone else’s insurance to obtain care or use of someone’s identity to purchase health insurance. Organized crime is increasingly looking at medical identity theft, suggesting the problem will only get worse. One answer to this growing problem was promulgation of the "red flag" rules. The red flag rules are part of the Fair and Accurate Credit Transactions Credit Reporting Act and are intended to combat fraud and identity theft. The rules require persons who are subject to them to look for "red flags" and take action. A "red flag" is any event that causes you to be alert or to raise an eyebrow. An example could be a patient calling to question a bill for services that the patient swears he never received. While the rules were primarily aimed at large credit institutions and banks, they also are applicable to many health care providers that meet certain conditions.
Although there have been some questions about whether the red flag rules are applicable to health care providers, the July 29, 2009 announcement from the FTC made it clear that the FTC believes that health care providers and other small businesses are within the scope of the rules. In fact, the FTC provided the American Medical Association a letter explaining its position that most doctors are creditors subject to the rules in February 2009. The compliance deadline is literally weeks away, November 1, 2009, after the FTC delayed the effective date for health care providers and other small businesses this past July.
Specifically, the rules are applicable to health care providers via the definitions in the rule. A "creditor" is any entity that regularly extends or renews credit or arranges for others to do so and includes all entities that regularly permit deferred payments for good and services. Thus, when health care providers delay payments for patients and bill insurance and other payors before balance billing patients, they become creditors. If a creditor has a "covered account," he or she must have a written Identity Theft Prevention Program, among other things, designed to identify, detect and respond to circumstance that could indicate identity theft. A "covered account" is either a consumer account designed to permit multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft. A "red flag" is something that should trigger more scrutiny and follow-up procedures, such as a driver’s license name not matching the insurance card. According to the FTC, a key area of focus should be new account, new patient procedures.
Because the rules probably apply, providers need to have programs in place and soon. While there are many third party vendors that can assist with compliance, providers can get virtually everything needed at no cost from the FTC and Texas Medical Association ("TMA"). The FTC website www.ftc.gov/opa/2009/07/redflag.shtm is a good resource and has a sample policy that can be amended to suit most practices. The TMA also has some sample policies and a good webinar on the rules.
The Identity Theft Prevention Program should be tailored to each practice and need not be complex. The rules only require "reasonable" policies and procedures that can identify red flags and respond to them. There must be a program administrator and staff training. If a red flag event occurs, the policy should outline follow-up actions, e.g., contacting local law enforcement officials. One key component of the program is that there must be board or management approval of the policy and senior management involvement thereafter.
So what happens if you don’t get your policy done by November 1 or later? There are enforcement mechanisms the FTC can use. There is not, however, a private cause of action, meaning patients or others can file complaints with the FTC but only the FTC can enforce the red flag rules. The FTC can request records, initiate investigations and seek civil penalties and injunctive relief. The civil penalty is up to $3,500 per violation – enough to make most providers want to avoid enforcement. While the FTC has indicated that it will be less likely to enforce against an entity if the entity (i) knows its customers or clients individually, (ii) performs services at the customers’ homes, or (iii) operates in areas where identity theft is rare, and it has not been the target of identity theft itself, providers may not want to risk testing the limits of FTC enforcement discretion.
In conclusion, given the seriousness of medical identity theft, and the FTC’s opinion that most health care providers are subject to the red flag rules, providers need to make sure they are compliant. Given the wealth of resources at the FTC, TMA and elsewhere, however, achieving compliance may be easier than some providers think
