What Health Care Providers Need to Know...

The Red Flags Rule and Guidelines went into effect January 1, 2008.  Last summer the Federal Trade Commission (FTC) announced that health care providers would be considered creditors and subjected to the Red Flags Rule when they accept insurance and bill patients after services rendered for the amount insurance does not pay and/or if they regularly allow patients to set up payment plans for services rendered.  The deadline for compliance was delayed until May 1, 2009, then August 1, 2009 and now finally June 1, 2010 after many medical groups expressed concern. 

In an effort to help physicians become familiar with what is required by the Red Flags Rule and how to prepare the written Program that is federally mandated and subject to enforcement under the Fair Credit Reporting Act (FCRA) by the Federal Trade Commission (FTC), JPMS is providing information on the JPMS website.

The information that follows has been compiled by JPMS from material provided by various members of organizations of the American Association of Medical Society Executives.

• Visit the FTC website for resources to see if you are covered and learn how to comply:
  http://www.ftc.gov/redflagsrule 
  
  
• The FTC has posted Frequently Asked Questions that address how the Rules will be enforced as well as other topics: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.
  
  
• Federal Registry FTC Red Flags Rule, 16 CFR Part 681.2(e)
  
  
• AMA Sample Red Flags Policy 

Is Your Practice Required to Comply:

 The definition of both a "creditor" and an "account covered" are key in determining whether or not you are subject to the Red Flags Rule. A creditor is defined as any entity that regularly extends, renews or continues credit. Credit includes, in part, transactions in which you defer payment of debts or accept deferred payment for products or services. One primary example is that of a patient who makes payment after the date of service; this type of arrangement constitutes an extension of credit. If you accept insurance and the patient is ultimately responsible for any balance after insurance payment is received, this is an acceptance of deferred payment and you are a creditor.  However, accepting credit cards as a form of payment for products or services rendered at the time of the product purchase or service rendered does not by itself result in your being classified as a creditor under these new rules.

If you determine that you are a creditor, as defined under the Red Flags Rule, the next step is to determine whether your practice has "covered accounts."  A covered account is defined as any account that a creditor offers or maintains used primarily for personal, family, household purposes that involves or permits multiple payments or transactions. However, a covered account also includes any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to customers for identity theft.

In the great majority of medical practices, the Red Flags Rule will apply because accepting insurance generally results in deferring payment from a patient until payment is received from the insurance carrier. This determination is important because the Red Flags Rule require creditors with accounts that are covered to identity those accounts that are at risk, and to define, detect, and respond to the red flags in order to prevent or at least mitigate identity theft. In short, a primary goal of a physician is to recognize suspicious circumstances that would prompt your office to be alert for possible theft of a patient's identity and to respond accordingly.

Red Flags Rule: Establishing an Identity Theft Prevention Program

If you are a creditor as defined under the Red Flags Rule, and your medical practice opens and maintains covered accounts, then you are required to prepare and implement a written Identity Theft Prevention Program.  (see link above to AMA Sample Policy)

The written program should serve to accomplish specific goals:

• Identify theft that may or does occur in connection with either the opening or the maintaining of the covered account. The Rule further requires that you identify relevant red flags for covered accounts. Relevant to your medical practice might include the types of accounts offered and maintained, the method(s) used to open accounts (including who has access when opening covered accounts and in maintaining covered accounts), who collects on these accounts and the identifying information relating to a patient.  Also relevant would be any prior exposure or experience your medical practice has had regarding identity theft.
• Detect red flags that are incorporated into your written program.
• Respond appropriately to red flags that are detected.  This would include review of your written program to ensure detection of red flags that have been identified for inclusion, and then (re)acting to prevent or mitigate identity theft.
• Periodically reviewing and updating the written program to ensure its relevance to the types of accounts and the information. 

With regard to requirements under the Red Flags Rule, the FTC has issued Red Flags Guidelines that are to be considered when preparing your written program.  The guidelines include specific examples of the requirements that should be considered and incorporated into your written program as appropriate. (see link above to FTC website)

In sum, a written program that is developed and implemented needs to function to detect, prevent, and mitigate identity theft in connection with covered accounts.  The size and complexity of your written program will depend on the medical practice or office setting, as well as the nature and scope of your medical practice. More specifically, your office must develop and implement reasonable policies and procedures to identify relevant Red Flags in connection with the opening and maintaining of covered accounts.

Red Flags Rule: Detection of Red Flags and Examples

Your written program, designed and implemented to prevent identity theft, is intended to detect red flags related to identity theft.  The potential of identity theft is most likely when registering a new patient, where your office is also opening a new account. However, it is required that your written program be operational on an ongoing basis to ensure a continuous effort is made in preventing, as well as mitigating, identity theft. One example of an office policy and procedure regarding ongoing efforts would be to check for any changes in patient information during return visits. Another example might be the procedure followed if suspicious personal identifying information is presented during an office visit.  One case in point involved a patient who did not have health insurance who presented his brother's license and insurance information.  Based on their limited age difference, as well as the relative infrequency of licensure pictures, this case of identity theft went undetected until the brother whose identity had been stolen received a bill for the balance owed for medical services.

In preparing your policies, remember to include information about identity theft that you may have learned or discovered from other sources such as colleagues, regulatory agencies and other organizations. The case described above is an example of identity theft that, if relevant to your practice, should be considered when preparing your program. It is quite likely that many of the requirements of the written program are policies and procedures already in place in your medical practice.  Your preparation of a list of current office policies and procedures regarding the management of identifying information, patient documents, and monitoring transactions, would provide a baseline to begin a review of what is specifically required by the Red Flags Rule and Guidelines. 

Red Flags Rule: Guidelines to Consider

Included in the FTC Red Flags Rule and Regulations are guidelines that must be considered when developing and providing for the continued administration of your written program.  Required consideration of the guidelines includes reviewing the procedures appropriate to detect, prevent and mitigate identity theft in connection with covered accounts.  The goal of the guidelines is to assist in your formulation and maintenance of the written program.

Important to note is that a practice may incorporate, as appropriate, existing policies, procedures and other arrangements that "control reasonably foreseeable risks" to patients or to the safety and soundness of the creditor from identity theft. In addition to those risk factors of which you may already be aware, the guidelines require that you consider the following specific risk factors to determine whether there is a reasonably foreseeable risk to your patients (risk to the safety and soundness of their identifying information) of identify theft:

• the type of accounts offered and/or maintained
• the methods used to open a covered account
• the methods used to access covered accounts, and
• previous experience your office has had with identity theft

Each of these factors should be reviewed to determine its relevance to your medical practice.  One example of a red flag that may occur in your practice setting would be where a driver's license picture and name do not exactly match the name on the insurance card.  Another example would be the name on a credit card provided for balance owed not matching the patient information you have on file.

Included in the FTC guidelines is consideration of sources of possible identity theft.  Sources include knowledge of prior incidences of patient identity theft or attempted theft of personal and/or identifying information, as well as possible methods of identity theft that may occur within your practice setting.

Red Flags Rule: Preventing and Mitigating Patient Identity Theft

Under the Red Flags Guidelines, it is required that you consider certain responses relating to the prevention and mitigation of identity theft. In the event that you detect possible identity theft, appropriate responses to the red flag(s) should be proportionate and adequate when considering the degree of risk posed.  An appropriate response to detection would include an assessment of related factors that may increase the identity theft risk.  One example might be in the case of a breach of patient identifying information that results in unauthorized access to a patient's account records.  A second example might involve someone who has fraudulently claimed that he is one of your patients.  How you would respond to these types of red flags should be included in your written program.  Guidelines regarding possible responses include the following:

• Monitor covered accounts for evidence of patient identity theft;
• Communicate with your patient upon detection of possible identity theft;
• Change security information such as passwords or other codes in response to a red flag indicating possible identity theft;
• Close out accounts as necessary and where appropriate re-open with different identifying and secure information;
• Not pursuing a patient for debt owed where there is reasonable evidence of identity theft;
• Notifying the proper authorities;
• Determine that in a particular case no response is necessary based on the circumstances.

Important to remember is that these guidelines should be considered when preparing your program, and that appropriate and reasonable responses that are relevant to your medical practice should be included in your policies and procedures.

Red Flags Rule: Administering the Program

Once you have identified the necessary elements to include in your written program, the next step is the administration of the program.  Pursuant to the FTC Red Flags Rule, 16 CFR Part 681.2(e) (see link above to Federal Registry document), there must be continued administration of the program.  Continued administration includes someone of senior level administration who is designated as responsible for oversight, development, implementation and administration of the program.  Staff is to be trained as necessary in order to effectively implement, continue and ensure ongoing success with the program.  In short, someone within your office who is responsible for exercising appropriate and effective oversight must be designated.  The rules also require that in the absence of a board of directors of other appropriate committee, that initial approval of the written program by senior level administration be obtained.

Included in the FTC Red Flags Guidelines are methods for administering the required written program. In short, you are required to have oversight by senior level management within your practice, reports relating to the administration of the program and oversight of service provider arrangements your office regarding patient accounts.

More specifically with respect to each of these three administration aspects is the following:

• Oversight within your practice, by designated senior level management, includes the responsibility for implementing the written program, reviewing documents and reports prepared by other staff and relating to compliance with identity theft prevention, detection and mitigation and approving changes as necessary to address changing risks of identity theft.
• Reports includes evaluation of issues such as the effectiveness of your office policies and procedures, changes to your program based on information you have discovered or received and recommendations for changes. Responsibility for reporting includes the development, implementation and administration of the program, as well as periodic evaluation and updating. The guidelines provide for annual reporting, by senior staff level management, regarding compliance with the program. Based on the size of your practice, reporting may be as limited as office manager reporting to a solo practitioner. However, in large practice settings, reporting by senior level management may well be to a board of directors.
• Oversight of service provider arrangements includes steps to ensure that reasonable policies and procedures are in place to detect, prevent and mitigate the risk of identity theft when patients' personal and identifying account information is shared. One example would be where your office outsources billing.

Red Flags Rule: Compliance and Enforcement

As stated in the FTC Frequently Asked Questions piece, “the FTC does not conduct routine audits.  However, the FTC can conduct investigations to determine if a business within its jurisdiction has taken the appropriate steps to develop and implement a written Program, as required by the Rule.  The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance.  The FTC also may interview officers, employees, or others who are familiar with the company’s practices.  It the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.”

Further with regard to penalties for noncompliance, as stated in the FTC Frequently Asked Questions piece, “the FTC can seek both civil penalties and injunctive relief for violations of the Red Flags Rule.  Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation.  Each instance in which the company has violated the Rule is a separate violation.  Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order.  Failure to comply with the court order could subject the parties to further penalties and injunctive relief.”

The Jefferson Parish Medical Society has provided the above information to assist you in developing an identity theft prevention program for your practice.  Although not experts in the Red Flags Rule, the JPMS staff will gladly assist our members in any way possible to comply with this new rule.