Red Flags Rule will become effective June 1, 2010.
Red Flags Rule requires certain businesses and organizations to spot and heed the red flags that often can be the telltale signs of identity theft. The Federal Trade Commission (FTC) has continuously asserted that the Red Flag Rules DO apply to physicians and related health care providers.
The goal of the Rules is “to reduce the overall incidence and impact of identity theft, including medical identity theft.” Medical identity theft can occur when a patient seeks care using the identity or insurance information of another person. The rules are also intended to reduce risk of theft of credit information.
Medical practices are covered under the rule if two conditions are met:
- They are a “creditor” organization, and
- They have “covered accounts“
Under the rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. A medical practice is a “creditor” organization if it first submits a claim for services to insurance and then bills any remaining amount to the patient after the claim is adjudicated. The FTC considers this to be a creditor arrangement since payment for goods and services is deferred until the claim is processed.
Patient billing records are “covered accounts” under the Red Flag Rules if they permit multiple payments or if they have a reasonable risk of identity theft.
The FTC does not believe that the Red Flag Rules will impose any significant burdens on most healthcare providers. Red Flag Rules are risk based and designed to be flexible based on the level of risk faced by each practitioner. The FTC states that: “…for most physicians in a low risk environment, an appropriate program might consist of checking a photo identification at the time services are sought and having appropriate procedures in place in the event the office is notified – say by a consumer or law enforcement – that the consumer’s identity has been misused.”
What must a practice do?
There are four steps to developing a compliant program:
- Identify Red Flags
- Detect Red Flags
- Prevent and Mitigate Identity Theft
- Update your program regularly