Raising the red flag

Sunday, July 26, 2009

ARLINGTON, Va. – HME providers have one week left to comply with a new federal regulation that requires them to put in place processes and procedures to prevent identity theft.

Fortunately, for most, that should not be a challenge, industry attorney Asela Cuervo said last week during an AAHomecare teleconference, “Are you complying with the Red Flag Rules?”

“If you have any kind of compliance program internally, you pretty much have what the basic components of the Red Flag Rule requires you to have,” Cuervo said.

The Federal Trade Commission (FTC) created the rule last year and it applies to all creditors. The FTC defines a creditor broadly. HME providers qualify as creditors if they bill patients after the fact for co-pays and/or deductibles.

Providers who collect payment at the time of dispensing the product or service are not considered creditors, Cuervo said.

Providers who extend credit, must develop a written plan that identifies red flags—patterns, practices or activities that might indicate the possible existence of identify theft, Cuervo said.

These could include: Patient information that doesn’t match other information on file; a fraud alert on a credit report; identification that looks altered or forged; the person presenting the ID doesn’t look like the photo or match the physical description.

Once the Aug. 1 deadline hits, don't expect the FTC to start sending out people to audit healthcare providers, Cuervo said. However, non-compliant providers could be sued or face civil monetary penalties if it’s ever determined that the way they run their business allowed identity theft to occur, she said.

“But the biggest risk that any business runs, especially a business like healthcare that depends so much on their reputation, is the loss of reputation and the bad publicity that would follow having an incident of identity theft,” Cuervo said.