Practice Management Alert

Youll have more time to get your practice in shape.

If youre still trying to figure out whether the governments new Red Flags Rule applies to your practice, youre in luck. The Federal Trade Commission (FTC) delayed the May 1 compliance deadline. But that doesnt mean you can put identity theft policies on the back burner -- heres what you need to know.

Be Ready By August 1

Just one day before the original compliance deadline, the FTC, which oversees the governments implementation of the Red Flags Rule, announced that youll have until Aug. 1 to get your practice ready.

More good news: The FTC also noted in the delay announcement that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.

Reason for the delay: Many medical practices were unclear about how, and if, the rule affected them at all. Plus, when practices did realize they needed to comply with the new rule, they werent sure how to implement a policy. The three-month extension allows practices extra time to get their programs together.

From my experience there was not enough effort in many industries, not just healthcare, to get the word out that companies were required to comply, explains Ester Horowitz, MBA, owner/certified management counselor and practice marketing advisor with M2Power Inc. in Merrick, N.Y.

The FTC seemed to agree. Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further, said FTC Chairman Jon Leibowitz in the April 30 statement.

Experts agree that the delay is beneficial to practices but that you should not let the extended deadline derail your identity theft policy plans. The delay gives practices  more time to prepare, Horowitz says.

Although the hope they have is that the FTC will let practices off the hook by exempting them, the truth is that medical identity theft is the fastest growing problem and the most dangerous. Since practices already invested in implementing HIPAA, complying with Red Flag will be very simple and cost effective, she adds. It would be morally, ethically, and economically prudent for practices to adopt Red Flag guidelines separate of the requirement to comply. Its something they should be proud to display.

Review the Red Flag Requirements

What it is: Under the Red Flags Rule, certain businesses and organizations -- including many doctors offices, hospitals, and other health care providers -- are required to spot and heed the red flags that often can be the telltale signs of identity theft, according to an article on the Federal Trade Commissions Web site.

The Red Flags rule requires you to develop a program within your practice that addresses identity theft prevention techniques, as well as tools to detect and deal with any identity theft incidents that may occur in your office.

How it affects you: Because you bill your patients after youve rendered services, your practice is a creditor under the FTC Red Flags rule. When a patient doesnt pay you in full at the time of service and your practice waits for payment from a third-party payer, youre extending credit to the patient until the third-party payer processes the claim. Your practice is, therefore, a creditor. And that means you need to have a policy in place to identify related incidents of identity theft.

According to Horowitz, there are four areas you should focus on to be sure youre prepared for the August 1 deadline:

1. Get your senior staff, board of directors, and managers on board agreeing to create a culture of security, Horowitz says. Part of this process should be selecting an identity theft security officer in your practice.

2. Perform a gap analysis of how identifying information is passed and used within your practice, including all verbal, written, and electronic transfers of information. Since your practice should have done this same sort of analysis for HIPAA compliance, as long as the infrastructure of the practice has not changed too much, practices can revisit the gap analysis they did for HIPAA, update that to remain HIPAA compliant, and then add identity theft, Horowitz explains.

3. Educate your employees in the areas of identity theft. It as much affects them personally and professionally as it does the practice, Horowitz says. Remember, red flags are not limited to patients, but also affect employees.

4. Contact your practices business associates and vendors to confirm that they are also complying with the Red Flags rule.

For more information about the FTCs time extension on the Red Flags Rule, visit www.ftc.gov/opa/2009/04/redflagsrule.shtm.