How the Red Flags Rule Will Affect Your Practice, Your Patients and What You Can do to Protect Yourself

In late 2007, the Federal Trade Commission (FTC) put forth a set of regulations known as the Red Flags Rule. This new rule requires certain entities, including physician practices to develop and implement policies and procedures to protect consumers against the growing problem of identity theft. The rule was to go into effect on May 1^st, 2009, but the FTC has delayed enforcement until August 1^st, 2009.

The main concern within physician practices is medical identity theft. In the majority of cases, physician practices have information such as a person’s name, Social Security number, credit card number and insurance data readily available and easily accessible to many people. Medical identity theft occurs when someone uses another person’s name and other information to obtain and/or make false claims to receive medical treatment, services, or goods. Probably the most serious outcome in situations of medical identity theft is that of erroneous or fake information in a patient’s medical history and records.

The FTC views physician practices as “creditors” since in essence; patients are extended credit. Credit, in a physician practice is “acquirable” and “extended” by allowing deferred payment until services are rendered and insurance is collected. The American Medical Association has been very active in saying that they disagree with the FTC’s interpretation of physician practices being viewed as creditors and is fighting to render the application of the Red Flags Rule null and void for physician practices. However, as of now the AMA has not won that argument and the FTC Red Flags Rule is still going forward on August 1^st. Physician practices that accept insurance or have payment plans available for their patients must implement internal policies and procedures by August 1^st, 2009 or face a penalty of up to $2,500 per known violation.

The new FTC rule may be initially confused with HIPPA regulations, but differs from it because the Red Flags Rule is geared towards the protection of credit card information, Social Security numbers, Tax Identification Numbers, business and employer ID numbers. HIPPA, on the other hand, is intended to protect personal health information.

According to the FTC, Red Flags are patterns, practices, or specific account activities that hint at the possibility of identity theft. Some examples of red flags are alerts, notifications or warnings from consumer reporting agencies, suspicious documents such as inconsistent personal identification documentation, non-existent and social security numbers.

The FTC will require that all entities have reasonable policies and procedures in place to detect and respond to possible identity theft. The documentation that will need to be developed and implemented within your own practice will have to be relative to the possibility of identity theft occurring in your office. The easier it could be to potentially “steal” a patients’ identity in your office the stricter the policy should be. In addition your Red Flags Rule documentation should be consistent with the existing HIPPA procedure already in place at your practice.

For sample practice policies please log onto www.ama-assn.org. These policies can be adapted to best fit the needs of your practice. The August1st deadline is quickly approaching and unless the FTC changes its views before then, the Red Flags Rule will apply broadly to the healthcare industry.

|back to top|