Medicare Compliance & Reimbursement

Privacy:

New Red Flags Clarification May Exempt Physicians As 'Creditors'

But you should still make an effort to safeguard patient confidentiality, experts say.

In a vote that came right down to the wire on the Red Flags Rule deadline, Congress voted last week to change the wording of who is considered a "creditor" in the government's eyes, and fortunately, medical practices no longer appear to fit the definition. This means that the Jan. 1 deadline to comply with the Red Flags Rule may not affect you.

Background: Previously, the Red Flags Rule defined a creditor as any entity that bills a customer after rendering services. The Federal Trade Commission's (FTS's) Web site noted earlier this year that creditors included "many doctor's offices, hospitals, and other health care providers." As creditors, medical practices had to comply with the FTC's Red Flags Rule, which required creditors to develop programs to address identity theft prevention techniques, as well as tools to detect and deal with potential identity theft incidents.

New ruling: Both the House and Senate approved the "Red Flag Clarification Act of 2010," which is currently waiting for President Obama's signature. In a nutshell, the Act indicates that a true "creditor" meets the following criteria:

  • Obtains or uses consumer reports in connection with credit transactions
  • Furnishes information to consumer reporting agencies
  • Advances funds to or on behalf of a person that the person will pay back later

Although some practices that operate on a cash-only basis (such as plastic surgeons) may check patients' credit or report to credit agencies, most medical offices do not, and therefore no longer appear to meet the definition of a "creditor."

Physician advocacy organizations were pleased with the ruling, and want the FTC to specifically indicate in writing that physicians are exempt from the Red Flags Rule, which has not yet happened. "The AMA is pleased that this legislation supports AMA's longstanding argument to the FTC that physicians are not creditors," said AMA President Cecil B. Wilson, MD, in a Dec. 7 statement. "We hope that the FTC will now withdraw its assertion that the red flags rule applies to physicians."

Don't Abandon Your Efforts

If you've worked throughout the past year to tighten up your identity theft prevention processes, don't think that work was for naught. The provisions in the Red Flags Rule are still considered smart if you want to avoid problems in your practice, says James D. Hook, MPH, director of consulting services with The Fox Group, a healthcare consulting firm based in Upland, Calif.

Your practice is still legally responsible for protecting the confidential information that patients give to you, Hook says. If you created a Red Flags program, don't just toss it aside -- instead, continue to implement the safeguards that you put in place to protect your patients.

For instance, "it's pretty common now to take a photograph of your patients and store that picture to verify that the person presenting for a visit is the same patient connected to the insurance identification number," Hook advises. "That way you'll know that someone hasn't pilfered or borrowed an insurance card to receive care and have someone else pay the bill." If you instituted this practice, you should continue to follow it.

In addition, you should have processes in your practice to safeguard the information that patients have given to you. "Many times in medical practices, identity theft is, unfortunately, an inside job," Hook says. "Someone might take just enough information to use a patient's identity or even take their credit card information. There isn't much you can do to defend yourself against the dishonest actions of one employee acting alone, but you do want to have at least a bare minimum outline of what you'd do in the event that you found someone has misused patient information. Also, make sure you have a plan in place when you find someone seeking treatment with a stolen identity -- for instance, notifying the real patient and, potentially, law enforcement." For the full text of the legislation, visit www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf.