Identity Theft Compliance (Red Flag Rules)

FTC Puts Red Flags Rule On Hold
Action, July 1, 2010

The Federal Trade Commission (FTC) now says it will not enforce the "red flags rule" until after a lawsuit seeking to prevent the anti-identify theft rules from applying to physicians is resolved. It previously had delayed the rule to give Congress time to consider legislation that would exclude physician practices with 20 or fewer employees from being covered by it.


Update: FTC Delays Red Flag Rule Until December

The Federal Trade Commission (FTC) has delayed until Dec. 31 enforcement of the "red flags rule" [PDF] that was scheduled to take effect June 1. The agency said several members of Congress asked it to delay the rule while lawmakers consider legislation "that would affect the scope of entities covered by the rule."

The FTC statement apparently referred to HR 3763 by U.S. Rep. John Adler (D-N.J.). The bill amends the Fair Credit Reporting Act to exclude physician and accounting practices with 20 or fewer employees from the definition of a creditor. The U.S. House of Representatives passed the bill last Oct. 20 and sent it to the Senate where it was referred to the Committee on Banking, Housing, and Urban Affairs. It remained there as this issue of Action was prepared.

In May, the American Medical Association, the American Osteopathic Association, and the Medical Society of the District of Columbia sued the FTC [PDF] to keep it from forcing physicians to comply with the rule.

The rule says physicians who regularly bill their patients for services (including billing for copayments and coinsurance) are creditors and must develop and implement written identity theft prevention programs for their practices. The programs must identify and respond to patterns, practices, or specific activities known as "red flags" that could indicate identity theft.

The lawsuit, prepared by the Litigation Center of the AMA and State Medical Societies (TMA is a founding member, and TMA General Counsel Rocky Wilcox is the current chair of the executive committee), charges that the FTC's rule exceeds the powers delegated to it by Congress and that its application to physicians is "arbitrary, capricious, and contrary to the law."


Lawsuit Challenges Red Flag Rule

The American Medical Association (AMA), American Osteopathic Association and the Medical Society of the District of Columbia sued the Federal Trade Commission (FTC) May 21 to keep it from forcing physicians to comply with the FTC's  "red flag rule"  that takes effect June 1. 

The rule says physicians who regularly bill their patients for services (including billing for copayments and coinsurance) are creditors and must develop and implement written identity theft prevention programs for their practices. The programs must identify and respond to patterns, practices, or specific activities known as — "red flags" — that could indicate identity theft.

The lawsuit, prepared by the Litigation Center of the AMA and State Medical Societies, charges that the FTC’s rule exceeds the powers delegated to it by Congress and that its application to physicians is “arbitrary, capricious and contrary to the law."

Filing of the lawsuit does not suspend the June 1 deadline. While litigation seeking to free physicians from the unlawful enforcement of the red flags rule proceeds, sign up for the Red Flag Rules Recorded Webinar for review of the new FTC regulations and practical tools such as action plans, policies and procedures, and implementation techniques to assist physicians with compliance.

 

 


 

 

 

Beginning June 1, 2010, physicians who regularly bill their patients for services (including copayments and coinsurance) must comply with Federal Trade Commission (FTC) regulations (PDF)  that require covered entities to develop and implement identity theft prevention programs. According to the FTC, programs must identify and respond to "patterns, practices, or specific activities - known as -- "red flags" -- that indicate the possibility of identity theft. Failure to comply could result in penalties of up to $2,500 per "knowing violation."

The Red Flag Rules are not a “one-size-fits-all” standard. In fact, they state that an identity theft prevention program must be “appropriate to the size and complexity of the [office] and the nature and scope of its activities.” All compliance programs, however, must address plans to: 

1. Identify red flags the practice may come across in day-to-day operations;
2. Detect red flags that are identified;
3. Respond appropriately when a red flag is detected; and
4. Re-evaluate the program to reflect new risks and necessary modifications. 

In addition to documenting policies and procedures, practices also must incorporate the compliance program into daily business operations -- much like HIPAA compliance. The program must be approved by the organization's board of directors (or senior leadership), with designation of a compliance officer. And, because employees play such an important role in preventing and detecting identity theft, the program also must include staff training.

Sample Policies and Procedures

TMA developed these sample policies and procedures  to assist members in developing their own identity theft compliance plans. Although they are a good place to start, individual practices may need to revise them to reflect the scope of their activities. It is important to note that these policies and procedures are specific to Red Flag Rules and do not reflect HIPAA compliance practices. To fully ensure privacy and security compliance, a practice will need both identity theft and HIPAA policies and procedures. 

Educational Programs

 

TMA's  Red Flag Rules recorded webinar is now available for download. This program reviews the new FTC regulations and offers practical tools such as action plans, policies and procedures, and implementation techniques to assist physicians with compliance. One registration fee of $50 will train your entire staff. Register for this recording now!  If you have questions or require assistance, contact the TMA Knowledge Center at (800) 880-7955.  

Additional Resources

 


Comment on this (Must be logged in to comment)

Add Comment

Text Only 2000 character limit

Looking for more?