<http://www.knudsenlaw.com/>
The Red Flags Rule
By some estimates, nearly half of the health care providers in America
will soon be in violation of new federal identity theft rules. The
so-called "Red Flags Rule" was developed pursuant to the Fair and
Accurate Credit Transactions (FACT) Act of 2003, under the authority of
the Federal Trade Commission (FTC). See 16 CFR 681 (which can be found
at:
http://ecfr.gpoaccess.gov/cgi/t/text/text-dx?c=ecfr&tpl=/ecfrbrowse/Titl
e16/16cfr681_main_02.tpl). Many health care providers have still never
heard of the Red Flags Rule, and many others are nevertheless unsure
whether the law applies. Even fewer are ready now to comply. Quick
action may be needed.
Under the rule, financial institutions and other "creditors" with
covered accounts must have implemented written identity theft prevention
programs designed to identify, detect and respond to patterns, practices
or specific activities that could indicate identify theft. The
definition of "creditor" is very broad and can be read to apply to many
healthcare companies (recent AMA challenges to this interpretation
failed - see attached FTC letter). Any entity that provides goods or
services and then later bills for the goods and services is a
"creditor," so incidental bills to patients, private pay, and insurance
claims can all fall under the rule because they often defer payment for
goods or services. As a creditor with covered accounts, health care
providers need to comply.
The FTC issued relatively little pre-implementation guidance
compared to entities that typically regulate health care (such as CMS).
In fact, the FTC delayed enforcement of the Red Flag Rules because of
reports that numerous companies were not even aware they were covered.
Originally, the plan was set to be implemented November 1, 2008 but the
six month delay until May 1, 2008, was put into place to give
non-financial institutions an opportunity to develop a program. Despite
further attempts to delay implementation, May 1, 2009 remains the
deadline for compliance, and fines can range from $2,500.00 to
$11,000.00 per violation. While it is unlikely enforcers will be at
your door on May 2, eventually you will probably be asked to present
your plan, either during an audit or in a courtroom, and in any event it
would be best to present a plan that was at first initially implemented
on time.
A program designed to identify and prevent identity theft must
be in writing, and tailored to the particular institution. The red
flags in the program may include, for example, unusual account activity,
fraud alerts on a consumer report, or attempted use of suspicious
account application documents. When a patient claims they are receiving
a bill for a provider that never served them or even a service that was
never provided, for example, a red flag has likely been raised. The
program must also describe the appropriate responses that would prevent
and/or mitigate the crime and a detailed plan to update the program.
Furthermore, senior employees or the Board of Directors should provide
oversight, staff and training.
In the health care setting, it is possible that existing HIPAA
required mechanisms can satisfy some of the requirements given the
purported FTC "flexibility" of what a written program should be. HIPAA
rules primarily address medical records, however, the Red Flag Rules
also focus on financial matters. Moreover, the Red Flag Rules require
an affirmative attempt by the creditors to respond to evidence of
medical identity theft. A mere document will not due when a written
program is called for, and HIPAA is merely a supplement, not a
substitute for a proper program.
The FTC insists that that Red Flags Rule is flexible and allow creditors
the opportunity to design a program appropriate to their size and
complexity, as well as to the nature of the operations. In some
circumstances, the FTC says, a "simple streamlined" program would be
adequate, such as a requirement of checking a photo identification when
services are sought, and having procedures designed to appropriately
respond if alerted by law enforcement to some identity misuse. Such
procedures might be common-sense. For example, when learning of
identity theft, a creditor should not try to collect the debt from the
person whose identity was stolen, nor reporting the debt to a credit
agency, and medical providers must keep the medical information separate
from the tainted financial information. It must be remembered, however,
the program must be written.
Larger institutions will likely need correspondingly more robust
programs given the larger likelihood of identity theft. Robust programs
for larger institutions may require a privacy committee headed by a
privacy officer, with members chosen from discrete departments
including, for example, representatives from a pharmacy, administration,
nursing, admissions, billing, etc. Formal risk assessments would likely
be needed, along with reporting mechanisms, action plans, formalized
procedures, employee training, oversight and periodic review.
More information can be obtained from the Federal Trade Commission
website, including guidelines that the FTC believes should be helpful in
assisting covered entities in designing their programs. On April 2, the
FTC provided additional guidance on its new Red Flags Rule website
<http://ftc.gov/redflagsrule> , including a new "How To"
<http://ftc.gov/bcp/edu/microsites/redflagsrule/link-to-us.shtm> guide.
Kevin R. McManaman
krm@knudsenlaw.com <mailto:krm@knudsenlaw.com>
Knudsen, Berkheimer, Richardson & Endacott, LLP
3800 VerMaas Place, Suite 200
Lincoln, NE 68502
402/475-7011 (office)
402/475-8912 (fax)
402/440-2982 (cell)
No comments:
Post a Comment