Red Flag Rules Apply to Physicians

RedFlag roundUnder the Red Flags Rule, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. The Federal Trade Commission (FTC) has asserted that the Identity Theft Red Flag Rules do apply to physicians and related health care providers.  However, on April 30, 2009 the FTC agreed to defer enforcement of the Red Flag Rules from May 1, 2009 until August 1, 2009 in order to allow more time to develop written policies and prevention programs. Many medical practices may still be required to develop Red Flags compliance plans by August 1, 2009. The AMA, MGMA and other specialty societies, have objected to the inclusion of healthcare providers in this rule.

 The goal of the Rules is “to reduce the overall incidence and impact of identity theft, including medical identity theft.” Medical identity theft can occur when a patient seeks care using the identity or insurance information of another person.  The rules are also intended to reduce risk of theft of credit information. 

 Medical practices are covered under the rule if two conditions are met:

1) They are a “creditor” organization, and 2) They have “covered accounts

Under the rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services.  A medical practice is a “creditor” organizations if it first submits a claim for services to insurance and then bills any remaining amount to the patient after the claim is adjudicated. The FTC considers this to be a creditor arrangement since payment for goods and services is deferred until the claim is processed.  

Patient billing records are “covered accounts” under the Red Flag Rules if they permit multiple payments or if they have a reasonable risk of identity theft.

The FTC does not believe that the Red Flag Rules will impose any significant burdens on most healthcare providers. Red Flag Rules are risk based and designed to be flexible based on the level of risk faced by each practitioner. The FTC states that : “…for most physicians in a low risk environment, an appropriate program might consist of checking a photo identification at the time services are sought and having appropriate procedures in place in the event the office is notified – say by a consumer or law enforcement – that the consumer’s identity has been misused.”

What must a practice do?

There are four steps to developing a compliant program:

  1. Identify Red Flags
  2. Detect Red Flags
  3. Prevent and Mitigate Identity Theft
  4. Update your program regularly

The AMA has created a Red Flag Sample Policy that group practices can use to formulate their own red flag policy.

Comments are closed.