Government

Medicine slams FTC over forcing physicians to police identity theft

Physicians object to the broad application of the "red flag" rules and say they were not forewarned properly. Enforcement begins May 1.

By Amy Lynn Sorrel — Posted April 6, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Organized medicine and the Federal Trade Commission continue to joust over the application to physicians of new identity theft prevention rules. With a May 1 compliance date just around the corner, neither party shows signs of capitulation.

The FTC regulations require a variety of business entities -- mainly financial and banking institutions -- to implement a written program for preventing identity theft as well as detecting and responding to warning signs of such incidents. The commission maintains that when physicians defer payment for services, they become creditors -- entities that regularly extend, renew or continue credit -- under the "red flag" rules.

The American Medical Association and dozens of state and specialty medical societies repeatedly have objected to what they believe is an unreasonably broad application of the regulations, as well as a lack of forewarning by the FTC.

The commission "did not give physicians an appropriate opportunity for notice and comment on the ruling that the red flags would be applied to them," said AMA Secretary Ardis D. Hoven, MD. "The AMA is calling on FTC to re-publish its rule so that we can make the case that physicians should be excluded."

Doctors agree that medical identity theft is a growing concern for patients and physicians. But they also say the additional regulatory burden may duplicate existing requirements under the Health Insurance Portability and Accountability Act. It imposes an "unjustified, unfunded mandate on physicians, especially small practices," and could have "serious, adverse consequences" on access to care, according to a Feb. 23 letter to the FTC from the AMA and other physician organizations.

After an initial outcry, doctors got some relief when the FTC last October delayed the original Nov. 1, 2008, enforcement date by six months. But that may have been the sole reprieve.

The FTC has no plans to extend the deadline again, said Naomi Lefkovitz, an attorney with the FTC's Division of Privacy and Identity Protection. "That said, we continue to take a view that we're looking for reasonable efforts" by doctors to comply.

The rule was intended to address a wide range of potential identity fraud, Lefkovitz said. But given that scope, the FTC recognized last fall that several industries were caught off guard and extended the enforcement date.

"We would rather people understand the rule and do what is reasonable and effective for their particular circumstances." Lefkovitz said. "While we didn't see any means of exempting people, it was designed to be a flexible rule."

Caught off guard

The red flag rules, mandated under the 2003 Fair and Accurate Credit Transactions Act, were published by the FTC in conjunction with the Dept. of Treasury and other federal financial oversight agencies. The regulations mainly reference banks, mortgage brokers and other lenders.

It wasn't until last summer, just months before the compliance date, that physicians found out they also needed to comply, said Gerald E. DeLoss, vice chair of the American Health Lawyers Assn.'s Health Information & Technology Practice Group.

"It was not expressly indicated by FTC or any other interested party that this would apply to health care," he said. There is no mention of physicians in the final rule, released in June 2008, and only a single reference to medical identity theft.

The medical community continues to question the FTC's view that physicians are creditors by virtue of billing patients after their services are completed, whether through an insurance carrier or by other means. "The claims payment process is not a deferral process," said the February letter from the AMA and others. Rather, it is a process in which physicians have ethical, legal and contractual obligations under state and federal laws that govern insurance relationships and bar physicians from conditioning certain treatment upon payment.

The Medical Group Management Assn. is also concerned that once physicians are considered creditors, they might be subject to additional regulations that have nothing to do with health care, said Amy Nordeng, MGMA government affairs counsel. Her group signed the physician organizations' letter. Doctors also might begin demanding payment up front to avoid the rules, Nordeng warned.

The AMA and others contend that, under federal rule-making requirements, the FTC should have advised physicians of the final rule's broad application through a formal notice and comment process, rather than through informal, after-the-fact statements. The AMA reiterated in a March 9 letter to the FTC the medical community's request that if the rules are to incorporate physicians, new rules should be proposed so a fresh comment period will be held.

"That's the way the rule-making process works, and it didn't work that way with this rule," Nordeng said.

The FTC asserts that its position never changed. "We don't see this as an amendment to the rule, just as an interpretation, and it wouldn't warrant any rule change or comment period," Lefkovitz said.

HIPAA overlap?

Another oversight, Nordeng said, was the additional regulatory burdens the new rules impose when HIPAA already requires physicians to keep patient information private.

But the red flag rules go beyond HIPAA to require physicians to take action should patient information fall into the wrong hands, said Robert Gellman, a privacy lawyer in Washington, D.C. The FTC asserted in a Feb. 4 letter to the AMA that its rules complement HIPAA's requirements.

Under the Fair and Accurate Credit Transactions Act, "Congress said let's try to get ahead of this problem," said Gellman, who co-wrote a 2008 World Privacy Forum report on the red flag rules' application to health care. "Medical identity theft was already on [the FTC's] radar screen when it published this rule, and the problem is, it's a mess for everybody: The doctor who's not getting paid is a victim; the patient whose name or records were used is a victim; insurance companies are victims."

HIPAA also primarily addresses medical records, whereas the red flag rules deal more with financial issues, DeLoss noted.

The good news for physicians is that they likely can hit the ground running by building on existing HIPAA policies to create a red flag compliance program, DeLoss said. The plan can be tailored to a physician's practice based on risk level, Lefkovitz added.

The AMA plans to release physician guidance on the issue by April 10. The piece is scheduled to be online at the AMA Practice Management Center.

Back to top


ADDITIONAL INFORMATION

Red flag rundown

By May 1, physicians must implement a formal identity theft prevention program under the Federal Trade Commission's "red flag" rules. Failure to comply could mean administrative penalties or up to $2,500 in fines per violation. To be compliant, physicians must:

  • Identify relevant warning signs of potential identity theft. Such red flags may include suspicious documents or billing activity, or notices from law enforcement authorities.
  • Establish policies and procedures to detect red flags in day-to-day operations. These may include verifying a patient's identity and insurance information, or reviewing medical records for discrepancies. Implementing the process requires senior management approval and appropriate staff training.
  • Prevent and respond to incidents of identity theft or suspected fraud. This might entail changing account numbers or contacting an insurance carrier to deter the misuse of stolen information. The response also may include notifying the patient of any potential fraud.
  • Update the program periodically to help identify and respond to new risks.

Source: Federal Trade Commission

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn