Home Health & Hospice Week

Regulations:

FOLLOW THESE 4 STEPS TO RED FLAGS RULE SUCCESS

Check out what the FTC expects of you starting next month.

Like it or not, the Federal Trade Commission expects you to comply with its Red Flags Rule on identity theft starting May 1.

The Red Flags requirements have taken many home care providers by surprise, notes attorney Robert Markette Jr. with Gilliland & Markette in Indianapolis. But "it shouldn't be hard to comply" if you follow the FTC's relatively simple guidelines, Markette tells Eli.

Every covered provider must have an identity theft prevention plan under the rule. Here's what the FTC expects you to do in your plan:

1. Identify red flags. The "red flags" in the rule's names mean indicators that your patient's identity may be stolen, either by the person you're treating or by someone else. You need to identify what suspicious activities or "red flags" you'll be looking for.

Some examples listed by the FTC in its guidance, including examining credit reports or monitoring account activity, won't apply to home care providers. But other elements such as examining documents (such as ID cards) for suspicious signs or matching up documentation will be useful.

2. Detect red flags. "Once you've identified the red flags of identity theft for your business, it's time to lay out procedures for detecting them in your day-to-day operations," the FTC advises. Decide who will look for the red flags and how they'll do it."Your program must state who's responsible for implementing and administering [the plan] effectively," the FTC says.

Essential: "Because your employees have a role to play in preventing and detecting identity theft, your program also must include appropriate staff training," the FTC reminds providers. "If you outsource or subcontract parts of your operations that would be covered by the rule, your program also must address how you'll monitor your contractors' compliance."

In home care, a large part of detecting red flags will involve looking at documentation available in the patient's home during the intake process(see related story, p. 114). But don't overlook red flags that may pop up later in the patient's ongoing treatment either.

3. Prevent and mitigate identity theft.

Decide how you'll handle it when red flags pop up.Spell out when you'll notify the patient, notify law enforcement, etc.

4. Update your plan. Don't expect your plan to stay the same once you've laid it out. The rule "requires periodic updates to your program to ensure that it keeps current with identity theft risks,"the FTC says.

Remember: It's not good enough merely to have a sound plan on the books. "Just getting something down on paper won't reduce the risk of identity theft," the FTC warns.

And your board of directors has to approve your first written program. "If you don't have a board, approval is up to an appropriate senior-level employee," the FTC explains.

Note: FTC how-to guidance on implementing a Red Flags Rule plan is at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm.