Practice Management Alert

Think the Red Flags Rule Doesn't Affect You? Think Again

Get to know the new identity theft rules that many practices are overlooking.

Your practice follows all the HIPAA regulations, so you-re doing all you need to do to protect your patients, right? Not so fast. Starting May 1, you-ll need to have a concrete plan in place to identify stolen credit information. Here's what you need to know, according to the experts.

Get to Know What the Red Flags Rule Is

On May 1, the Federal Trade Commission will begin enforcing its -Red Flags Rule- for ensuring that businesses crack down on identity theft. Under the Red Flags Rule, -certain businesses and organizations -- including many doctor's offices, hospitals, and other health care providers -- are required to spot and heed the red flags that often can be the telltale signs of identity theft,- according to an article on the Federal Trade Commission's Web site. -To comply with the new Red Flags Rule ... you may need to develop a written -red flags program- to prevent, detect, and minimize the damage from identity theft.-

-The regulation focuses on requiring all employers, regardless of their industry, to make a good faith effort to thwart identity theft of employees, customers, and anyone they involve in business transactions,- explains Ester Horowitz, MBA, owner/certified management counselor and practice marketing advisor with M2Power, Inc. in Merrick, N.Y.

Your Practice May Meet -Creditor- Criteria

According to the FTC, the rule applies to businesses that qualify as -creditors- or -financial institutions.- But that doesn't mean you can scratch the Red Flags Rule off your list of things to learn.

-Health care providers are creditors if they bill consumers after their services are completed,- the FTC Web site says. -Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. However, simply accepting credit cards as a form of payment does not make you a creditor under the rule.-

Where do you fit? -Medical organizations are considered a -creditor,-- Horowitz says. -The word -creditor- has a broad meaning. Any health enterprise that maintains or otherwise possesses consumer information for a business purpose is required to follow the Red Flags Rule.- When a patient doesn't pay you in full at the time of service and your practice waits for payment from a third-party payer, you-re extending credit to the patient until the third-party payer processes the claim. Your practice is, therefore, a creditor.

Identify Risk Areas and Set Up a Solid Program

Now that you know your practice needs to follow the Red Flags Rule, how can you prepare? You should institute a Red Flag program in your practice, which you-ll need to revisit at least annually and more often as needed, advises Rebecca L.Williams, RN, JD, with Davis Wright Tremaine in Seattle.

The rule requires you to develop a report that you-ll submit to the board of directors (or to senior management), Williams says. -This report should include addressing the effectiveness of the program as well as significant incidents and responses of the organization.-

Bottom line: You should identify which areas fall within the identity theft recognition programs, meaning all departments, multiple sites, etc., and ensure that when you-re developing your program, that it is designed to detect, react to, and mitigate identity theft.

How: Follow the federal sentencing guidelines, Horowitz advises. (See the shaded box on page 26.) -Teach your staff what identity theft is,- she adds. -We may not be able to stop it, but we can certainly make it tougher for it to occur. Provide employees with an employee benefit that offers monitoring, restoring, and legal support to further protect them. It doesn't require that the organization subsidize it.- But by offering such a benefit, allowing your employees to make the decision to participate, and documenting that decision, your practice protects itself from litigation that might be brought against the practice as a result of identity theft in the future. Make patients aware of identity theft protection options available to them, if possible, as well, Horowitz adds.

Consequences: If your practice fails to meet the Red Flags Rule, you-ll potentially face federal and state fines of $2500 per occurrence, civil liability of $1000 per occurrence, class action lawsuits with no statutory limitation, and settlements making your practice responsible for actual losses of the individual identity theft victim.

-While the fines pale in comparison to other regulations, the lawsuits with no statutory limitations and responsibility for loss get my attention,- says Horowitz.

Monitor and Update Your Program

Once you have an identity theft program in place, you-ll need to review the program and its effectiveness regularly. -In simplest terms, keep vigilant,- Horowitz says.

-If a report indicates that a program has serious flaws, it seems that the program should be revised to reduce risks of identity theft,- Williams says. -If the report indicates that all is well, then there may not need to be any updates at that time.-

You don't necessarily have to revise your program each time you revisit it, but -it seems likely that there will be some tweaks needed for any new program,- Williams says. -And a program will not be effective unless it is updated to keep up with internal and external developments.-

More information: Turn to page 28 for some tips regarding what you should include in your Red Flags program.

Plus: To read the FTC's advice about the rule, go online and visit www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.

Other Articles in this issue of

Practice Management Alert

View All