Compliance date: November 1, 2009
The Federal Trade Commission (FTC) requires physician practices to develop and implement their own policies and procedures that are office-specific to protect against identity medical identity theft. Any physician or medical office "who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit" is a creditor and subject to the rules. The FTC has also determined that physicians who accept insurance or allow payment plans are creditors and also subject to the Red Flags Rule. The FTC has also determined that a physician "extends credit" by allowing deferred payment until services are rendered and insurance is collected.
A Red Flag is an indicator of possible identity theft from a pattern, practice or specific type of account activity. The FTC has identified that the following are Red Flags:
- Alert or notification from a consumer reporting agency
- Suspicious documents or identifying information that is inconsistent or nonexistent such as varying social security numbers;
- Suspicious activity in a patient's account
- Notice of possible identify theft from patients, law enforcement or other authorities.
The FTC requires that medical practices have "reasonable policies and procedures" in place in order to identify, detect and respond to red flags. What is reasonable will be determined by the specific practice and degree of risk. Failure to have adequate policies and procedures in place by November 1, 2009 may subject you to a penalty of up to $2,500 per "knowing violation".
To assist your medical practice, MAOPS has developed a template
to use to help you develop and administer your Red Flags policy and procedure. This template is designed with the small medical practice in mind where you and your staff are primarily responsible for the day-to-day operations and where you do not necessarily have technical support personnel on premises. MAOPS assumes that if you use this template, you are a small office where you know your patients personally, where you have never experienced identify theft previously and where identity theft is rare within medical offices of your size and location. You would be classified as a low risk organization or business by the FTC. If you have multiple office locations, you must have policies and procedures for each office. If this profile does not address your office practice, then MAOPS recommends that you check with your attorney for additional guidance. If your office is associated with a corporation or larger entity, MAOPS recommends that you contact your associated entity to see what steps they are taking to insure your office's compliance. Your office's Red Flag policy must be approved by your practice or Board of Directors or an appropriate committee or representative.
Disclaimer: Compliance with HIPPA privacy and security rules is not a substitute for a policy and procedure under the Red Flags Rule.
Red Flags extends to credit card information, tax identification numbers, insurance claim information and background check information. To assist small offices and practices, MAOPS has developed a template that contains specific steps to help you to develop a policy and procedure for your medical practice. This is being made available to you with the understanding that it is for informational purposes only and should be used as a general reference and guide for outlining specific steps that must be taken in order to comply with the Red Flags Rules. These steps should serve as general examples and suggested starting points in your practice's compliance and should not be used as legal or other professional advice.
Warning: The current date set for compliance is November 1, 2009. The FTC has delayed implementation of the Red Flags Rule several times over the last year, in part to address concerns brought by the AOA and the AMA. The AOA and AMA are recommending to the FTC that the Red Flags Rule not apply to physician offices; however, the FTC so far has resisted that approach. For the most current and up-to-date information regarding implementation and compliance with the Red Flags Rule, please check the FTC's website.
STEPS TO DESIGNING YOUR IDENTITY THEFT RED FLAGS RULE POLICY
Step 1: Identify Red Flags
Conduct an Assessment of your practice. Identify specific Red Flags where your practice may be at risk that patients or others are trying to get medical services or information fraudulently. Be aware of access to sensitive information by staff and others. Conduct background checks of staff to be sure that they are reliable and credible. Once Red Flags are identified
Step 2: Detect Red Flags
Explain how your practice will detect the Red Flags you've identified. This includes steps you can take to train your staff to look for Red Flags.
Step 3: Responding to Red Flags
Decide how to respond to any Red Flags that come up such as inconsistencies in identification and what the next step will be.
Step 4: Administering your program
Get the approval of the person or persons in charge whether that is the physician, the Board of Directors or other management. Then designate an employee to administer the Program. Next, decide how to train staff and how that training will be providedâ€”special training, an orientation or annual updates or all three. If you use service providers (outside invoicing, collection agencies, janitors or cleaning services), talk to them and make sure that they have their own program in place or have them follow your Red Flags Program and keep documentation on what you have done. Finally, describe how and when you will update your program in order to keep it current.