Doctors and Other Small Businesses are Not “Creditors” Under Red Flags Rule

The President has signed a bill that clarifies the term “creditor” in the Red Flags Rule, excluding doctors and other small businesses.

The Red Flag Program Clarification Act of 2010 limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business: (1) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to certain consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.

The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, where Congress directed the Federal Trade Commission and other agencies to develop regulations requiring creditors and financial institutions to address the risk of identity theft. The resulting rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft.

The Red Flag Program Clarification Act clarifies that small businesses such as doctor’s offices are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

 

Healthcare Professionals Ask FTC for Exemption from Red Flag Rules

The heads of the American Medical Association, the American Dental Association, the American Osteopathic Association, and the American Veterinary Medical Association have asked the Federal Trade Commission (“FTC”) to declare that its identity theft prevention rules (the “Red Flag Rules”) do not apply to their licensed professionals.

Following the November 2009 United States District Court decision in American Bar Association v. FTC, which held that the Red Flag Rules did not apply to legal professionals, the healthcare organizations decided to issue a joint letter to the FTC requesting the same treatment.  The healthcare organizations specifically requested that the FTC:  (1) announce that the rules will not be applied to licensed health care professionals until at least ninety days after the final resolution of the ABA litigation; and (2) commit that if the result of the final ABA litigation is that the Red Flag Rules will not be applied to lawyers, the FTC will provide the same exemption to licensed health care professionals.

The letter discussed the great cost and burdens on healthcare professionals in complying with the Red Flag Rules and stated that if lawyers were exempt from the rules, it would be unfair to subject healthcare professionals to them.

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

FTC Red Flag Rules Enforcement Delayed Until June 1, 2010

The Federal Trade Commission (“FTC”) has again extended enforcement of the Red Flag Rules, now until June 1, 2010.

The latest delay comes at the request of Congress, which is considering a bill that amends the identity theft rule by eliminating entities with fewer than 20 employees from complying.  The House of Representatives passed that bill in late October 2009. The bill is now in the hands of the Senate.

The Red Flag Rules impact financial institutions and creditors subject to FTC jurisdiction. According to the Rules, created under the Fair and Accurate Credit Transactions Act, creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

For more information on the Red Flag Rules, visit: https://vwhealthlaw.wordpress.com/category/red-flag-rules/.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

FTC Extends the “Red Flag” Rules Deadline Again

The Federal Trade Commission (“FTC”) has now announced that it will postpone the enforcement of the red flag rules until November 1, 2009.  The red flag rules require creditors, including physicians and hospitals, to adopt written plans for tracking and responding to indicators of identity theft in their billing operations.  The move to extend the August 1, 2009 deadline is the third time the FTC has changed the enforcement date.  The agency is again promising additional resources and guidance.  Initially, the rules were intended to be enforced beginning in November 2008, but the agency offered a reprieve in response to significant confusion about the rules.  The FTC continues to maintain that hospitals and physicians are creditors for the purposes of the red flag rules because they accept deferred payment for their services.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Red Flag Rules Effective August 1, 2009

Just a reminder that the red flag rules will be enforced beginning August 1, 2009.  The red flag rules require creditors to implement a formal policy for detecting and preventing identity theft.  The rules were authorized under the 2003 Fair and Accurate Credit Transitions Act, which covers entities that regularly extend credit, or defer payment for services.  The FTC is still taking the position that health care providers are considered creditors under the rules.

The red flag rules require health care practices to identify red flags, or warning signs, of potential identity theft events, to develop a corporate policy for responding to such risks, and to train employees on the new policy.

Health care providers should consider the following when developing and implementing their identity theft prevention policies:

1. Identify warning signs of potential identity theft that may occur in day-to-day operations. Such red flags may include bills for services not provided, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.
2. Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.
3. Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.
4. Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.
5. Review and update the identity theft prevention policy at least annually.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Red Flag Rules – The Next Steps for Physicians

The red flag rules, which require creditors to implement a formal policy for detecting and preventing identity theft, also apply to the healthcare industry. The effective date for the red flag rules has been delayed until August 1, 2009. The red flag rules were authorized under “the 2003 Fair and Accurate Credit Transitions Act, which” covers “entities that regularly extend credit, or defer payment for services.” The FTC claims that physicians are considered creditors under the rules. However, the American Medical Association and several medical organizations are continuing to challenge what they believe is an overly broad legal interpretation. In the meantime, organized medicine and legal experts urge doctors to implement the necessary compliance measures. The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks, and train staff on the new policy.

Physicians should follow these practical tips when developing and implementing their identity theft prevention policies:

• Identify warning signs of potential identity theft that may occur in daily operations. Such red flags may include bills for services not rendered, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.

• Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.

• Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.

• Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.

• Review and update the identity theft prevention policy at least once a year.

 

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

FTC delays enforcement of the Red Flags Rules until August 1, 2009

 

The Federal Trade Commission (“FTC”) has delayed the enforcement date of the Red Flags Rules until August 1, 2009.

Last summer, the FTC announced that it would consider health care providers to be creditors when they accept insurance and bill patients after services are provided for any amounts that insurance does not pay; or if the health care providers regularly allow patients to set up payment plans after services have been performed. The FTC originally planned to begin enforcement of the Red Flag Rules on November 1, 2008, but due to concerns expressed by MGMA and others in the health care industry, the enforcement date was postponed until May 1, 2009.

As a result of continued advocacy efforts, the FTC announced on April 30, 2009, it will further delay enforcement until August 1, 2009 in order to give creditors and financial institutions additional time to develop and implement written identity theft prevention programs. The FTC also announced that it will soon release a template to assist entities with a low risk of identity theft in complying with the Red Flag Rules.

 

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

How to Identify Red Flags

 

A healthcare provider’s Identity Theft Prevention Program should identify red flags in four main categories: (1) suspicious documents; (2) suspicious personally identifying information; (3) suspicious activities; and (4) notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. 

 

All employees who interact with patients must be aware of things to look for in the following areas:

 

Suspicious documents

 

• Has a new patient provided identification documents that look altered or forged? 
• Is the photograph or physical description on the ID inconsistent with what the patient looks like? 
• Did the patient provide other documentation inconsistent with what he or she has told an employee – for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere?  

 

Suspicious personally identifying information

 

• If a patient provides information that does not match what an employee has learned from other sources, it may be a red flag of identity theft. 
• For instance, if the patient provides a home address, birth date, or Social Security number that does not match information on file or from the insurer, this may indicate fraud.

 

Suspicious activities

 

• Is mail returned repeatedly as undeliverable, even though the patient continues to show up for appointments? 
• Does a patient complain about receiving a bill for a service that he or she didn’t get? 
• Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? 

 

Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft

 

• Has the provider or an employee received word about identity theft from another source? 
• All employees must heed warnings from others that identity theft may be ongoing.

 

Although the above list provides some examples of things to look for to identify red flags, it is not intended to be an exhaustive list.  Instead, employees must continuously be aware of any signs of identity theft relevant to the healthcare provider’s practice and share this information with others involved in the Identity Theft Prevention Program.

 

 

 © 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com