Home Health & Hospice Week

FTC says health care providers could be considered 'creditors.'

Health care organizations including home care providers that think compliance enforcement for their businesses is under the purview of their Medicare contractors, CMS, and the OIG should think again.

Now it looks like the Federal Trade Com-mission also wants to lay down the law with medical providers. Last summer, the FTC issued its "Red Flags Rules" that require financial institutions and creditors to create written identity theft prevention programs by Nov. 1, 2008. However, many businesses -- including health care providers -- didn't realize they should be considered "creditors" and weren't ready to put plans in place to comply with the Red Flag rules. Therefore, the FTC delayed enforcement of the rule until May 1, 2009.

At issue: The FTC's original notices regarding the new rule listed several types of covered entities, including car dealerships and utility companies. However, the FTC later announced in its article, "The 'Red Flags' Rule: What Health Care Providers Need to Know..." that "Health care providers are creditors if they bill consumers after their services are completed. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees."

What this means: "If a physician is a creditor and maintains covered accounts, the 'red flag' regulations require the physician's practice to develop a written identity theft prevention program that contains reasonable policies and procedures to detect, prevent and mitigate identity theft in connection with covered accounts," according to an Oct. 16, 2008 American Medical Association news release.

The same standard applies to other health care providers like home care providers too, industry experts say.

Keep in mind: "In order to be a 'creditor,' a provider has to regularly accept deferred payment for services," says attorney Barbara Greenwood with Rath, Young and Pignatelli in Concord, N.H. Although the AMA challenged the FTC, arguing that the rule should not apply to physicians, the association doesn't know when it might hear back from the FTC. "Hopefully, the FTC will provide some clarification before May 1," Greenwood says.

Until that time comes, "health care providers should move forward in developing and implementing an identity theft detection, prevention, and mitigation program," advises attorney Rebecca Williams with Davis Wright Tremaine in Seattle.

"Health care providers can be the first to spot the red flags that signal the risk of identity theft," the FTC urges providers in its article. That includes "suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, insurance information, account numbers, and birth dates to open new accounts or get medical services."

Watch out: Providers who "violate the Rule may be subject to civil monetary penalties," the FTC warns.

Note: To read the FTC's article for health care providers, visit www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.