Business
Red flag rules on identity theft take effect soon
■ A column examining the ins and outs of contract issues
By Steven M. Harris — is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column. Posted March 30, 2009.
- WITH THIS STORY:
- » Related content
Effective May 1, many physicians will be required under federal law to assist the government in detecting, preventing and mitigating "red flags" of identity theft.
The Federal Trade Commission implemented the so-called red flag rules, which impose certain duties on financial institutions and creditors with the goal of curtailing the growing issue of consumer identity theft.
The rules originally were supposed to take effect on Nov. 1, 2008, but the FTC delayed them at the behest of the American Medical Association and others in organized medicine. The groups argued that the FTC's inclusion of physicians under this law is wrong. Organized medicine has continued to discuss with the FTC the necessity of taking physicians out from under these rules.
But if that doesn't happen, doctors need to be aware of what to expect.
Physicians are subject to the red flag rules if they satisfy a two-part test.
The first prong requires that the physician is a creditor. That is broadly defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."
For example, if a physician renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient, the physician is a creditor under the red flag rules.
If a physician renders medical services to a patient and accepts the patient's co-pay, the physician is a creditor, regardless of whether the physician receives payment from the insurance company. But the acceptance of credit cards as a form of payment does not, in and of itself, deem someone a creditor.
Secondly, the physician must offer or maintain covered accounts for patients.
Under the rules, a covered account is one in which a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions, and any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft.
Additionally, the creditor must have a continuing relationship with the patient before the patient's account is considered a covered account. That means a one-time patient would not constitute a continuing relationship.
In applying this definition to physicians, all patient accounts are offered for personal, family, or household purposes, and all such accounts contain personal identification information for which there is a foreseeable risk of identity theft.
These definitions of a creditor and a continuing relationship are the crux of the argument between the FTC and the AMA and other organized medicine groups. Medical associations argue that physicians weren't named specifically in the rules, and that any business that bills after providing a service to a frequent customer would be subject to them, which was not the rules' intent.
Under the red flag rules, physicians who are creditors who offer or maintain covered accounts are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft.
A red flag is defined by the FTC as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." At a minimum, the red flag rules require that the program provide policies and procedures to:
- Identify relevant red flags and incorporate them into the program.
- Detect red flags in patient accounts.
- Respond appropriately to any red flags detected in patient accounts.
- Ensure the program is updated periodically to reflect changes in risks to patients, and the safety and soundness of the physician from identity theft.
Additionally, physicians must train staff to implement the program and exercise appropriate and effective oversight of it.
Many of the same safeguards that physicians use to be HIPAA-compliant overlap with those safeguards required to comply with the red flag rules. So you might already be ahead on some of these steps.
Steven M. Harris is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column.