Government
Doctors prepare for ID theft rules
■ Organized medicine continues to challenge the "red flags" rules during the additional three months before enforcement starts.
By Amy Lynn Sorrel — Posted May 18, 2009
- WITH THIS STORY:
- » The next steps for physicians on red flags
- » Related content
Pediatric Associates' compliance officer C. Rocky Slonaker, MD, breathed a sigh of relief when he heard that his practice would have more time -- until Aug. 1 -- to comply with the Federal Trade Commission's new identity theft prevention rules.
The "red flags" rules -- which require creditors to implement a formal policy for detecting and preventing identity theft -- were not on Dr. Slonaker's radar. It wasn't until the FTC last fall delayed the original Nov. 1, 2008, compliance date to May 1 that he became aware the rules also applied to the health care industry.
Pediatric Associates, a 21-office South Florida group practice, managed to formalize a plan by April 30, the day the latest three-month delay was annouced. The process largely involved enhancing existing privacy and security policies required by the Health Insurance Portability and Accountability Act.
"It wasn't a huge stretch, and [the extra time] gives us a buffer to see if our policy is doing what it's supposed to do," Dr. Slonaker said. "The biggest concern is, we want to make sure patient care doesn't come to a grinding halt."
That echoed at least some of the initial worry from organized medicine when the FTC indicated that physicians are considered creditors under the rules. The regulations were authorized under the 2003 Fair and Accurate Credit Transactions Act, which requires entities that regularly extend credit, or defer payment for services, to establish an identity theft policy.
The American Medical Association and several medical organizations continue to challenge what they believe is an overly broad legal interpretation by the FTC. Until the issue is resolved, however, organized medicine and legal experts urge doctors to get in compliance.
Finding flags
"These are legal requirements that take planning," said Yarnell Beatty, general counsel to the Tennessee Medical Assn. Doctors can face stiff fines for noncompliance, he warned.
The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks and train staff on the new policy.
"What's good about this [rule] is it allows customization and allows you to take into account experiences in your own medical practice," said John S. Mulhollan, a health care lawyer with Baker Hostetler in Cleveland.
HIPAA may be a good starting point, but the FTC rules require distinct security policies that focus more on financial data than medical data, Mulhollan said. Implementation also may prove more effective if a specific staff member is assigned to oversee the policy and procedures.
Pediatrics Associates already had a number of checks to verify a patient's information as well as the identification of parents or guardians, Dr. Slonaker said. Staff now take additional precautions and pay attention to other red flags, including:
- Documents that look altered or forged.
- Discrepancies in or absences of Social Security numbers or insurance cards.
- Records showing inconsistent information.
- Bills for services never rendered or insurance claims denials.
"The burden was more in reading the law and translating those expectations to health care," Dr. Slonaker said. He hopes a policy template promised in the FTC's latest announcement and planned for release on the commission's Web site will offer stronger guidance.
A reasonable approach
The Florida medical group tried to stick with what it considered reasonable practices. "If we are only allowed to give information over the phone on how to care for fever to a verified guardian, that's an access-to-care issue for me," Dr. Slonaker said. "But if it's just 'this is what we do for fever,' and we're not giving out any identifying information, it may not really matter if you were Johnny's mother or not."
Mona Reimers, a practice manager at Orthopaedics NorthEast, a multi-office practice in the Ft. Wayne, Ind., area, also said stringent prior HIPAA policies made compliance less of a hassle than expected. Because it is an orthopedic practice, individuals posing as patients to obtain narcotics came up as a common red flag. The group also tried to prepare patients by alerting them that certain administrative requirements were for their protection.
But Reimers anticipates the real challenge will come in updating the policy and training staff as new issues arise. The FTC rule also was ill-planned considering what appears to be an overlap with additional, forthcoming HIPAA requirements under the most recent federal stimulus package, she said.
"Of course we want to protect patient privacy. It's good business," she said. "But at a time when we're trying as a country to make administrative simplifications to lower health care costs, this [red flags requirement] went in a completely opposite direction."
Mulhollan stressed that the rule can help improve patient care. "This not only prevents patients' benefits from being hijacked but also from having the wrong medical information from being placed in their record because of fraudulent activity, which creates a clinical risk."
The TMA's Beatty urged doctors to keep it simple and take advantage of a number of free resources from the FTC and organized medicine.
"Don't wait until the last minute," he said. "Make the investment so at least your staff are aware of the issue and you are in compliance on day one. Then it's one less issue to deal with."