Readying for the Red Flags Rule: It pays to be prepared

In order to give creditors, which by definition include many radiology groups and imaging facilities, more time to comply with its Red Flags Rule, the Federal Trade Commission (FTC) has announced that it will delay enforcement of the rule until August 1.

What is the Red Flags Rule?

2009 03 18 10 21 46 535 Weiss Mark 150
Healthcare business and legal affairs expert Mark F. Weiss.

The Red Flags Rule is federal regulation aimed at detecting identity theft through the identification by financial institutions and creditors of "red flags," or indicators of possible identity theft appropriate to the specific business relationship, so that action can be taken to expose actual instances of that crime, mitigate its damage, and prevent future occurrences.

Despite protest by the American Medical Association (AMA) and other groups that the federal statue pursuant to which the Red Flags Rule was issued was never meant to cover the patient-provider relationship -- and that, therefore, the rule is overbroad -- the FTC has not agreed with that position.

In announcing the extension of the enforcement date, the FTC acknowledged the debate concerning the scope of the rule and stated that it will release a template to help entities with a low risk of identity theft, including those that know their customers personally, comply with the law.

Why should radiologists and imaging facilities be concerned?

Radiologists and imaging facilities need to be concerned with the rule and compliance with it for several reasons.

First, the penalty for noncompliance could be as high as $2,500 for each "knowing violation." As it is likely that an entity's noncompliance would be global and not just limited to a single instance, it's conceivable that an entity liable for one penalty would be simultaneously liable for many penalties.

Second, there are other good reasons to comply with the rule besides the avoidance of penalties:

  • The rule operates as a logical component to patient privacy laws, including HIPAA, with which your practice already complies. HIPAA and other privacy laws are designed to keep a patient's healthcare information restricted to those who should be using it -- the Red Flags Rule operates to prevent a patient's healthcare information from being "polluted" with inapplicable data, the data of a third party who has assumed the patient's identity. In this light, the Red Flags Rule is another component of assuring data security and trustworthiness.
  • Unpolluted data not only benefits the "real" patient, in certain circumstances it can benefit your ability to interpret and diagnose. For example, it increases the chances that an image taken previously is really of the same individual.
  • Additionally, it increases the odds that you will not be conned into providing care that will not be reimbursed. For example, Ms. Jones' carrier will not pay for services delivered to Ms. Smith masquerading as Ms. Jones.

Is my practice required to comply with the rule?

The rule sets out a test to determine if you fall within its scope.

First, you must be a creditor, which, for medical practices or facilities, means that you regularly defer payment by your patients through accepting payment from their carrier or by allowing payment plans.

If you are a creditor, the rule applies only if you have accounts, which requires a continuing relationship with your patients. Although it might be conceivable that your practice has one-time patient encounters only, most if not all practices will have multiple transactions with some patients and will, therefore, fall subject to the rule.

The next step is to determine if your accounts are considered covered accounts. There are two tracks to covered account status. One is that the service underlying a multiple payment account relates to personal, as opposed to business, purposes; most healthcare services would be included within this track. The other track is that there is a reasonably foreseeable risk of harm (financial, operational, compliance, reputation, or litigation risk) to your customers or to your practice from identity theft.

We're covered, so now what?

If your practice or facility is covered by the rule, you are required to implement a written identity theft prevention program by August 1, 2009. The program must be approved by your entity's board of directors or like governing body or by senior management.

The first step in developing the program is to identity red flags of identity theft relevant to your operation. For example, red flags might include identification that is obviously forged or phony, a social security number outside of the date range of the patient's stated age, an address that turns out to be nonexistent or otherwise not valid, or receipt of a complaint from the person receiving your statement that he or she has never been a patient of your practice.

You have to design and implement procedures for identifying those red flags, both in respect of new patient accounts and existing ones. This includes staff training on implementing policies designed to discover incidents of red flags.

You also need a plan for how to react if a red flag is detected. Your plan might include steps such as informing the police and other authorities, notifying the victim of the identity theft, and assessing the injury to your practice and its medical records.

Finally, your identity theft prevention program must be overseen by your entity's board, senior management, or someone to whom that task is delegated. And, you need to make periodic assessments of how your plan is operating and of any changes to it that should be made.

The practical bottom line

From a practical perspective, it makes little or no sense to rely on the argument that the Red Flags Rule or the statute underlying it is overbroad and not meant to apply to healthcare providers.

Even if the FTC were to change its position on the applicability of the rule, it benefits radiologists and imaging facilities to adopt its practices to reduce the risk of creating medical data that pollute your medical records, and to increase the chances that you will be paid for your services.

Lastly, compliance is relatively easy, especially when considered as a complement to existing HIPAA policies and procedures.

By Mark F. Weiss
AuntMinnie.com contributing writer
May 26, 2009

Mark F. Weiss is an attorney who specializes in the business and legal issues affecting radiology and other physician groups. He holds an appointment as clinical assistant professor of anesthesiology at University of Southern California's Keck School of Medicine and practices nationally with the Advisory Law Group, a firm with offices in Los Angeles and Santa Barbara, CA. Mr. Weiss provides complimentary educational materials to our readers. Visit www.advisorylawgroup.com for his free newsletter. He can be reached by e-mail at [email protected].

Related Reading

The Profit Center: Part 2 -- Steering clear of Stark and false-claims violations, March 31, 2009

Copyright © 2009 Mark F. Weiss

Page 1 of 1173
Next Page