Physicians and health care organizations must implement a formal identity theft prevention program to protect their patients under a little-known set of regulations called the Identity Theft Red Flags Rule.
The rule, issued by the Federal Trade Commission (FTC) in 2007, and to be enforced in August 2009, is aimed primarily at creditors and financial institutions. However, after publication of the rule, the FTC informed physician groups that it was interpreting the term creditor broadly to include health care professionals who regularly allow consumers to defer payment for services. Therefore, any medical practices that allow patients to defer payment while they bill insurance would be covered under the rule.
Physicians and other health care professionals are required to come into compliance with the rule as of Aug. 1.
The rule requires that health care professionals develop and implement a written identity theft prevention and detection program to protect consumers. Organizations must conduct a risk assessment to determine their vulnerability to identity theft. Next, they must develop and implement a written identity theft program to identify, detect, and respond to those risks.
As part of the plan, organizations must specify how they will detect the “red flags” alerting them to potential identity theft. The program also must include how the organization will respond once a red flag is detected.
Identify theft is most commonly associated with financial transactions, but there is increasing concern about it in the health care sector, according to the FTC. For example, medical identify theft can occur when a patient seeks care using the name or insurance information of another person.
For most physicians working in settings with a low risk for fraud, an identity theft program could be simple, according to the FTC. For example, staff members at the practice could check a photo identification at the time services are sought. Another part of a basic program would be to develop steps to take in the event that someone's identity has been misused. That might include not collecting debt from the “true consumer” and not reporting the debt on the consumer's credit report. Practices should ensure that the correct medical information is in the patient's chart, according to the FTC.
But the interpretation of physicians as creditors has raised the hackles of the American Association of Clinical Endocrinologists, the American College of Physicians, the American Medical Association, and several other physician organizations. Those groups contend that physicians are being inappropriately labeled as creditors, and that the requirements place an undue burden on physicians that could adversely affect patients' access to services.
“It will create more bureaucratic burden at a time when we aren't getting any breaks with reimbursement,” said Dr. R. Mack Harrell, a member of the AACE board of directors and chair of the organization's socioeconomics committee.
Most physicians will likely need to purchase some type of new software and updates to comply with the FTC's requirements for an identity theft prevention program, creating additional costs for medical practices, Dr. Harrell said. When federal lawmakers establish these types of regulatory mandates, they need to factor in the costs to implement them and adjust physician payments accordingly, he added. “It's an ongoing tale of rising expenses.”
Another objection that many physician groups have to the Red Flags Rule is that they did not have an opportunity to comment on its impact before it was issued. Since the 2007 rule did not explicitly mention physicians, the AMA and others contend that the FTC must publish a new rule and put that new rule out for public comment.
Expert Offers Tips for Compliance With Red Flags Rule
Physician practices that seek to comply with the Red Flags Rule can begin by appointing a compliance officer for the identity-theft prevention program, said Sai Huda, an expert in financial services regulation.
The next step is to conduct an inventory of medical services that are covered by the rule, said Mr. Huda, chairman and CEO of Compliance Coach Inc., a provider of regulatory compliance software in the financial services industry. Under the rule, practices also must identify the applicable red flags for each of their covered services and develop procedures to detect and respond to potential identity fraud.
Those steps will go into the written prevention plan, but the work isn't done once the plan has been written, Mr. Huda said.
Other key elements of compliance with the Red Flags Rule include staff training on the program and periodic updates to the plan based on new trends in identity theft and experiences within the practice.