Red Flag Rules Leave Health Care Industry Wondering
The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know.
The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA.
The Identity Theft Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a health care provider, this would mean, as an example, detecting situations in which a patient may be attempting to obtain medical services using another person’s identity and medical insurance policy. Since the FTC’s position on this issue has been firm, unless and until the AMA obtains a stay on enforcement of the rules, medical care providers should gear up for compliance.
According to the FTC, for many providers of medical care, compliance may not be too burdensome since their programs need only be scaled to the level of risk of identity theft faced by their patients. So if the risk is low, the identity theft program can be streamlined commensurate with such risk.
As examples, a health care provider could implement a program that includes, among other things:
- Checking patients’ photo IDs when medical services are sought
- Responding appropriately when notified by a consumer or law enforcement agency that the consumer’s identity has been misused
- Isolating suspect medical records from the victim’s medical records
- Suspending collection efforts against the medical identity theft victim relating to services provided to the unauthorized individual
Depending on the size and complexity of the provider, a more robust program may be necessary.**
*See the FTC’s September ‘08 article on the applicability of the Red Flag Rules to health care providers.
**See The World Privacy Forum’s suggestions for health care providers addressing the Red Flag Rules. See a January ‘09 report commissioned by the U.S. Dep’t of Health and Human Services’ Office of the National Coordinator for Health Information Technology regarding medical identity theft, including suggestions to prevent medical identity theft and actions to take in the event that medical identity theft is suspected.
I am heading up the red flag compliance issues with my facility-an outpatient orthopaedic practice.
I am interested in samples of policy and procedures others have done in a similar practice to prevent medical id. theft.
jennifer
i am also interested in samples of policy and procedures for my multi practice to prevent medical id theft
I found some templates for the initial red flag portion of the ID theft ruling, but I would like any samples of the portion dealing with computers.
Have these red flag deadlines (effective date) been pushed back? I read May 1, 2009 - now am told that this has been postponed?
Yes, the new compliance deadline is August 1, 2009. Note that this delay in enforcement only applies to covered entities regulated by the FTC, and is limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3).
At an appointment this week I was asked for my ID, I complied with presenting it for verification. When they returned it I noticed that they had made a copy of it. I expressed my concern about this and was told that this was the law. Do I have any rights to say "no copying" of my ID card?
We use CareCredit as a third party financing company in our single practioner dental office. What is the protocol we are to follow?
We are a mobile diagnostic imaging company that contracts with Hospitals. Do we need to have a separate policy in place or just use the policy at each facility that we service? We do not have any patient billing, each facility provides their own billing.