Last year, the Federal Trade Commission (FTC) delayed the date for requiring identity theft prevention programs until May 1, 2009. ISMA Reports reported these rules, which the FTC claims pertain to physicians, in the Oct. 20, 2008, issue. Find it here.
While the AMA voiced opposition to these rules, the FTC still maintains physicians who regularly bill patients for services, like co-pays and co-insurance, are creditors. The AMA continues a fight against the requirements, but the May 1 deadline is fast approaching.
If your practice has not taken steps to comply with the Red Flag Rules, start moving to create a written program with procedures for detecting, preventing and mitigating medical identify theft for patient billing accounts and related medical records.
Red Flag Rules apply to creditors with covered accounts and understanding these two terms is key to identifying your practice’s responsibilities.
“If your practice is working with patients to pay for services with periodic installment payments or deferred payment plans, you will meet the definition of a creditor under the rules,” said Joseph Suchocki of Eagle Associates, compliance and training consultants in Ann Arbor, Mich.
Here are the basic elements that must be included in an identity theft program, according to Suchocki.
- Put in writing reasonable policies and procedures that address the practice’s potential risk, making them easily understood by staff, and appropriate to the size and complexity of the practice.
- Identify relevant, potential red flags by evaluating the types of covered accounts that could be subject to possible identity theft. Evaluate billing accounts and medical records as well as methods available to open and access such accounts. Review any past experiences with actual or potential identity theft of billing or medical records. Include notices or incidents involving patients who may have stolen the identity of another.
- Identify instances when red flags would likely be detected in connection with opening and accessing of covered accounts, such as a missing or altered photo ID or insurance card.
- Respond appropriately to red flags, with policies and procedures that limit the potential for ID theft. Have, for example, a policy that requires patients to present a photo ID upon registration.
Creditor – Any person who regularly extends, renews or continues credit, which is the right granted by a creditor to a debtor to defer payment of a debt. Because the law offers no clear definition, each entity must determine whether their customer payment deferrals occur on a regular basis.
Covered Accounts – Continuing relationships between persons and a creditor whereby the creditor maintains or offers the account for the purchase of goods or services for personal, family, household or business that either: 1) permits multiple payments for transactions such as credit card accounts, or 2) creates a reasonably foreseeable risk to patients or the practice for identity theft. Billing accounts could fall in the first category and medical records in the second category. |
Make sure your identity theft program is updated regularly and conduct risk assessments, said Suchocki. “These should be similar to what is being done annually for HIPAA’s Security Standards, to help determine whether the practice offers or maintains covered accounts.”
Finally, your program must be documented and have oversight from a board of directors, committee of the board or employee at a senior management level.
If you need help determining if these rules apply to you or assistance to implement a program, call the ISMA Legal Department for a referral. You may also contact Eagle Associates here or (800) 777-2337 or Susan Ziel at Krieg DeVault or 317-238-6244.*
Also, plan to view an ISMA/Krieg DeVault webinar March 25 entitled “FTC Red Flag Rules go into effect May 1, 2009 ... Are You Ready?” To learn more or register, visit here and select Red Flag rules from the drop-down menu. Or call (800) 257-4762 or send e-mail here.
*Reference does not constitute an endorsement by the ISMA. |
