Part B Insider (Multispecialty) Coding Alert

Records security:

FTC: Physician Practices Could Be Considered 'Creditors'

Federal Trade Commission pulls in health care entities but extends rule deadline.

You may have thought that compliance enforcement for your practice was under the purview of your carrier, CMS, and the OIG -- but now it looks like the Federal Trade Commission (FTC) wants to lay down the law with medical practices as well.

Last summer, the FTC issued its "Red Flags Rules" that require financial institutions and creditors to create written identity theft prevention programs by Nov. 1. However, many businesses -- including health care practices -- didn't realize they

should be considered "creditors" and weren't ready to put plans in place to comply with the Red Flag rules. Therefore, the FTC delayed enforcement of the rule until May 1, 2009.

At issue: The FTC's original notices regarding the new rule listed several types of covered entities, including car dealerships and utility companies.

However, the FTC later announced in its article, "The 'Red Flags' Rule: What Health Care Providers Need to Know..." that "Health care providers are creditors if they bill consumers after their services are completed. Health care providers that

accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees." 

What this means: "If a physician is a creditor and maintains covered accounts, the 'red flag' regulations require the physician's practice to develop a written identify theft prevention program that contains reasonable policies and procedures to

detect, prevent and mitigate identity theft in connection with covered accounts," according to an Oct. 16, 2008 AMA news release.

Keep in mind: "In order to be a 'creditor,' a provider has to regularly accept deferred payment for services," says Barbara J. Greenwood, Esq. with Rath, Young and Pignatelli in Concord, N.H.

Although the AMA challenged the FTC, arguing that the rule should not apply to physicians, the association doesn't know when it might hear back from the FTC.

"Hopefully, the FTC will provide some clarification before May 1," Greenwood says.

Until that time comes, "health care providers should move forward in developing and implementing a identity theft detection, prevention and mitigation program," advises Rebecca L. Williams, RN, JD, a partner with Davis Wright Tremaine, LLC in

Seattle.

To read the FTC's article for health care providers, visit http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm#footnote.