Red Flags Rule – Another Delay Gives Practices More Time to Comply

By Laura A. Petersen

As most healthcare practice administrators are aware, the Federal Trade Commission issued the Red Flags Rule (“the Rule”) in November 2007. The Rule requires that certain entities develop and implement identity theft policies and procedures to protect consumers. The American Medical Association and other medical societies have vociferously argued that the Rule does not apply to healthcare entities. Nevertheless, the FTC will apply the Rule to healthcare entities. The implementation deadline has been delayed three times now. The FTC most recently indicated that it will apply the Rule beginning on November 1, 2009. While the FTC has provided additional information regarding low-risk entities under the Rule, the ultimate effect of the Rule is unchanged. Accordingly, healthcare entities that fail to comply could face fines of $2,500 per violation.

Healthcare entities are subject to the Rule because medical identity theft (when someone uses a person’s name/other parts of identity without the person’s knowledge to obtain/make false claims for medical services/goods) can be protected by implementing the Rule. The Rule expressly pertains to “creditors” who have “covered accounts.” Healthcare entities are creditors if they render medical services to patients without taking full payment at the time of service (i.e. accepting co-pays and billing insurance for the remainder or offering patients deferred payment). Patient accounts are covered accounts under the Rule.

To comply with the Rule, a healthcare entity must develop a program that allows it to identify relevant red flags; detect red flags; prevent and mitigate identity theft; and update the program periodically. There is a link on the FTC’s web page with guidance for low-risk entities as well as a template for creating an identity theft prevention program. The AMA has developed a sample policy which is available on its web page. Practice groups are cautioned against simply using any sample policies as the FTC has indicated that each practice’s program must identify how red flags will be identified and must be appropriate to the size and complexity of the practice.

Some examples of healthcare entity red flags are as follows: when a patient receives a bill for another individual or receives a bill for a service he did not receive; records showing medical treatment inconsistent with the physical examination or medical history; a report from the patient’s insurance company that coverage for legitimate hospital stays are denied because insurance benefits are depleted/lifetime cap has been reached; and a bill dispute by a patient who claims to have been a victim of identity theft.

A medical practice red flag program must identify the practice’s process to train staff, assign a dedicated staff member to investigate possible red flags, institute measures to detect red flags, and have policies and patient education about identity theft. It is important to remember that appropriate red flag detection measures vary from practice to practice.

The Rule also imposes a duty to mitigate identity theft. As such, healthcare entities are required to establish procedures for responding to red flags as part of their identity theft prevention program. This would include increased monitoring and establishing a plan for gathering documentation once an incident occurs, setting up a process for reporting the incident to a patient and appropriate law enforcement agencies, and implementing guidelines for further action. Notably the Rule requires that creditors update their identity theft prevention program periodically. Periodic updates should focus on things that the healthcare entity is specifically experienced with identity theft, changes in types of identity theft, changes in methods to detect, prevent, and mitigate identity theft, changes in the types of accounts that the entity offers or maintains, and changes in the creditor’s business arrangements.

Ultimately through the implementation of these polices, the FTC hopes that there will be a reduction in the number of identity theft victims. However, the Rule’s application to healthcare providers continues to be extended. Despite the extensions, it is imperative that practice groups remember that the plans, policies, and procedures must be in place, staff must be trained, and the program must be implemented by November 1, 2009.

Originally published in the Fall 2009 edition of Quinn Quarterly.