Avoid red flags
Q. How do I comply with the Federal Trade Commission’s new “Red Flags Rule,” which goes into effect Aug. 1?
A. This rule is based on the perception that healthcare providers may have opportunities in their day-to-day operations to discover the “red flags” of identity theft. Some healthcare providers, therefore, may be subject to this rule, which requires that providers develop identity theft prevention programs.
Your organization is required to comply with the Red Flags Rule only if both of the following requirements are met: Your organization is a “creditor,” as defined by the rule; or you have “covered accounts.”
Healthcare providers are creditors if they accept deferred payments, i.e. bill their patients after services are rendered. Providers that accept insurance are also defined as creditors, if the patient is ultimately responsible for his/her medical fees.
The two types of covered accounts, as defined by the FTC, are: an account that involves or is designed to permit multiple payments or transactions (this applies to ongoing relationships with patients for the provision of medical services); or any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft.
Your identity theft prevention program must have four objectives: identification of relevant red flags, detection of red flags, prevention and mitigation of identity theft, and periodic modification of the program.
To ensure the continued success of your program, the rule requires that it be administered by your board of directors, an appropriate committee of the board or a designated senior-level management employee. Keep in mind that healthcare providers who violate the Red Flags Rule may be subject to civil monetary penalties.
There is always something new in the healthcare industry; the Red Flags Rule is just the latest regulatory hurdle for providers.
Elizabeth Hogue is a private practice attorney. Reach her at 877-871-4062 or email@example.com.