In recent years, physicians have been pummeled by a jackhammer of regulatory requirements. First, it was The Health Insurance Portability and Accountability Act (HIPAA), which required changes in practices to safeguard the privacy of medical data but has lead to few fines or prosecutions. Now, on August 1, 2009, a set of laws ominously named the “Red Flags Rule” will come to bear on physician practices. The rule was to have taken effect May 1, but the Federal Trade Commission (FTC) voted April 30 to delay the compliance date for 3 months. This article will outline this new schema, which has real-world implications beyond its catchy NASCAR-esque moniker.

Red Flag Issues

Some of the HIPAA compliance requirements should have prepared you for the Red Flags Rule, as both have the same goal — keeping patient data safe, private and secure. The issues raised by the Red Flag rules are two-fold:

1. Compromise of financial information integrity, and
2. Compromise of the integrity of the medical record.

Patient Data and Identity Theft

A growing concern addressed by this rule is identity theft. Millions have suffered from identity theft, which can result in false charges on their accounts, false issuance of credit cards and impairment of credit history. Society, patients, insurers and providers all pay the price for identity theft.

One of the few HIPAA cases that resulted in prosecution and imprisonment involved a Seattle radiation technician. Expecting that a patient being treated at the Fred Hutchinson Cancer Research Center would die, the technician stole the patient’s identity and credit card information. However, the patient lived and the technician was sentenced to 16 months in prison in 2004.

FTC Enforcement

At present, it remains unclear what form the FTC’s enforcement of the Red Flags Rule will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but they do not provide individuals with a right to sue for failure to comply with the new rules. Whatever the enforcement may be, here is a look at what you need to know.

The Full Story

The FTC issued a final ruling in the November 9, 2007, Federal Register for what is commonly referred to as the “Red Flags Rule.”1 This regulation requires financial institutions and creditors to develop and implement written identity theft prevention programs as part of the Fair & Accurate Credit Transactions (FACT) Act of 2003,2 when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (FACTA). The regulation preamble included language specifically addressing health care and referencing concerns related to medical identity theft.

Creditors and Covered Accounts

According to the FTC, a “creditor” is any entity that offers or maintains one or more “covered accounts” or that maintains multiple accounts that involve or permit multiple payments or transactions — ie, accounts that involve deferred payments.

In the provision of medical services, a “covered account” would include patient accounts where the patient is not required to pay for any or all of the medical services or care at the time of service, or a patient account that allows a patient to pay a co-pay at the time of service, seeking payment from a health plan and later requiring the patient to pay any remaining balance.

Who Must Comply and How

The American Medical Association has said it will use the 3-month reprieve that pushed the deadline for compliance from May 1 to August 1 to convince the FTC and Congress that physicians are not creditors and therefore should not be subject to the rule. But, for now, the FTC has deemed physicians creditors who, therefore, must comply with the Red Flags Rule. However, in the unlikely event that you are always paid up front and in full and if you never defer payments for services, it’s possible the Red Flags Rule does not apply to you.

Any entity the FTC deems a “creditor” must institute a written identity theft prevention program designed to prevent, detect and mitigate the risk of identity theft for all existing and new covered accounts. As part of the program, the creditor must have in place policies that identify potential patterns, practices or activities that would alert the creditor to a possible case of identity theft. (See Table above.)

Identity Theft Prevention Plan Components

In order to comply, your medical practice will need to create an identity theft prevention plan containing procedures to:

1. Identify signs of any kind of a possible risk or existence of identity theft in the business — what federal regulators are calling “Red Flags,” including:

• discrepancies in customer information and
• suspicious account activity.

2. Respond in a proper way to any Red Flags to prevent identity theft from happening, including:

• monitoring suspicious activity,
• contacting customers and
• notifying law enforcement.

3. Develop preventative measures, including plans to:

• continually assess the identity theft risks to customers,
• continually update the identity theft prevention plan, as necessary,
• train staff to administer the program, and to exercise oversight over service providers employed to manage customer accounts and information.

Development and Evaluation checklist

Just as some practices bring in an outside consultant or designate an internal person to meet CMS and OIG guidelines, consider auditing your practice for potential issues with Red Flag data and to make sure you are equipped to deal with any issues.

Safeguarding of Information

• Are you shredding all documents with identifiable financial data?
• Are your computers secure?
• Do you lock cabinets that contain sensitive documents?
• Are you aware of all credit accounts in the Red Flags Rules’s ambit, not just the large balance accounts?

Written Program Details

• Detail identity theft attempt responses.
• Identify methods used to stop theft attempts.
• List methods to mitigate the security breach.
• Identify potential red flags within your institution.
• Devise methods for the practice to detect red flags in real time.

Resources/Service

Remember, you are not alone in coping with the Red Flags Rule. If you have questions, you can look to many of the same resources and services used for other aspects of your practice including:

• Risk management
• Security
• Privacy officer if you have one for HIPAA
• Information technology
• Attorney/Accountant
• Bank
• Clearing houses
• Outside consultants
• Outside auditors.

Implementation Requirements

• Obtain signoff from your board of directors or managing committee before you go live. The FTC holds senior leaders accountable for the program’s effectiveness
• Monitor implementation of your procedures. Issues come up and the only constant with implementation is the unexpected, so it will be a work in progress.
• Train everyone. HIPAA requires protection of patient information. Leverage HIPAA to implement a Red Flags Rule compliance program.

Face up to the challenge

In sum, medical practice is only getting more difficult. Like with HIPAA, the Red Flags Rule leaves specifics to the organization’s discretion, but you need to work to educate yourself and your co- workers with educational material and with written documents of some sort. The FTC fines are substantial, so put together an identity theft protection plan now — it’s in your and your patients’ best interests.

Dr. Scheinfeld graduated from Harvard Law School in 1989 and Yale Medical School in 1997. He’s an Assistant Clinical Professor at Columbia University.

Disclosures: Dr. Scheinfeld has no conflicts of interest with the subject discussed in this column.