Government

Doctors prepare for ID theft rules

Organized medicine continues to challenge the "red flags" rules during the additional three months before enforcement starts.

By Amy Lynn Sorrel — Posted May 18, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Pediatric Associates' compliance officer C. Rocky Slonaker, MD, breathed a sigh of relief when he heard that his practice would have more time -- until Aug. 1 -- to comply with the Federal Trade Commission's new identity theft prevention rules.

The "red flags" rules -- which require creditors to implement a formal policy for detecting and preventing identity theft -- were not on Dr. Slonaker's radar. It wasn't until the FTC last fall delayed the original Nov. 1, 2008, compliance date to May 1 that he became aware the rules also applied to the health care industry.

Pediatric Associates, a 21-office South Florida group practice, managed to formalize a plan by April 30, the day the latest three-month delay was annouced. The process largely involved enhancing existing privacy and security policies required by the Health Insurance Portability and Accountability Act.

"It wasn't a huge stretch, and [the extra time] gives us a buffer to see if our policy is doing what it's supposed to do," Dr. Slonaker said. "The biggest concern is, we want to make sure patient care doesn't come to a grinding halt."

That echoed at least some of the initial worry from organized medicine when the FTC indicated that physicians are considered creditors under the rules. The regulations were authorized under the 2003 Fair and Accurate Credit Transactions Act, which requires entities that regularly extend credit, or defer payment for services, to establish an identity theft policy.

The American Medical Association and several medical organizations continue to challenge what they believe is an overly broad legal interpretation by the FTC. Until the issue is resolved, however, organized medicine and legal experts urge doctors to get in compliance.

Finding flags

"These are legal requirements that take planning," said Yarnell Beatty, general counsel to the Tennessee Medical Assn. Doctors can face stiff fines for noncompliance, he warned.

The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks and train staff on the new policy.

"What's good about this [rule] is it allows customization and allows you to take into account experiences in your own medical practice," said John S. Mulhollan, a health care lawyer with Baker Hostetler in Cleveland.

HIPAA may be a good starting point, but the FTC rules require distinct security policies that focus more on financial data than medical data, Mulhollan said. Implementation also may prove more effective if a specific staff member is assigned to oversee the policy and procedures.

Pediatrics Associates already had a number of checks to verify a patient's information as well as the identification of parents or guardians, Dr. Slonaker said. Staff now take additional precautions and pay attention to other red flags, including:

  • Documents that look altered or forged.
  • Discrepancies in or absences of Social Security numbers or insurance cards.
  • Records showing inconsistent information.
  • Bills for services never rendered or insurance claims denials.

"The burden was more in reading the law and translating those expectations to health care," Dr. Slonaker said. He hopes a policy template promised in the FTC's latest announcement and planned for release on the commission's Web site will offer stronger guidance.

A reasonable approach

The Florida medical group tried to stick with what it considered reasonable practices. "If we are only allowed to give information over the phone on how to care for fever to a verified guardian, that's an access-to-care issue for me," Dr. Slonaker said. "But if it's just 'this is what we do for fever,' and we're not giving out any identifying information, it may not really matter if you were Johnny's mother or not."

Mona Reimers, a practice manager at Orthopaedics NorthEast, a multi-office practice in the Ft. Wayne, Ind., area, also said stringent prior HIPAA policies made compliance less of a hassle than expected. Because it is an orthopedic practice, individuals posing as patients to obtain narcotics came up as a common red flag. The group also tried to prepare patients by alerting them that certain administrative requirements were for their protection.

But Reimers anticipates the real challenge will come in updating the policy and training staff as new issues arise. The FTC rule also was ill-planned considering what appears to be an overlap with additional, forthcoming HIPAA requirements under the most recent federal stimulus package, she said.

"Of course we want to protect patient privacy. It's good business," she said. "But at a time when we're trying as a country to make administrative simplifications to lower health care costs, this [red flags requirement] went in a completely opposite direction."

Mulhollan stressed that the rule can help improve patient care. "This not only prevents patients' benefits from being hijacked but also from having the wrong medical information from being placed in their record because of fraudulent activity, which creates a clinical risk."

The TMA's Beatty urged doctors to keep it simple and take advantage of a number of free resources from the FTC and organized medicine.

"Don't wait until the last minute," he said. "Make the investment so at least your staff are aware of the issue and you are in compliance on day one. Then it's one less issue to deal with."

Back to top


ADDITIONAL INFORMATION

The next steps for physicians on red flags

By Aug. 1, doctors must implement a written identity theft prevention policy under the FTC's "red flags" rules. The AMA recommends some practical steps to help physicians get started:

  • Identify warning signs of potential identity theft that may occur in day-to-day operations. Such red flags may include bills for services not rendered, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.
  • Outline specific procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.
  • Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.
  • Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.
  • Review and update the identity theft prevention policy at least once a year.

Source: American Medical Association

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn