Red Flags Rule

Compliance Date: November 1, 2009

Update: The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until Nov. 1, 2009.  The AMA will utilize this time to convince the FTC and Congress to republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program.

Protect your Patients, Protect Your Practice:
What You Need to Know about the Red Flags Rule

The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until November 1, 2009.  The AMA is trying to convince the FTC and Congress that physicians are not "creditors" and therefore should not be subject to this rule. In the interim, and because of the immediacy of the implementation date, the AMA has prepared a guidance document, along with sample policies, so that members can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies.

What is the purpose of the Red Flags Rule?

The Red Flags Rule requires certain entities to develop and implement policies and procedures to protect against identity theft. Identity theft occurs when someone uses another’s personal identifying information such as Social Security number, credit card number, or insurance enrollment or coverage data, to commit fraud or other crimes. In the case of the physician practices, of particular concern is medical identity theft. Medical identify theft occurs when someone uses a person’s name and sometimes other parts of their identity, such as insurance information, without that person’s knowledge or consent to obtain or make false claims for medical services or goods. Medical identity theft can also result in erroneous entries into existing medical records and can involve the creation of fictitious medical records in the victim’s name.

Who has to comply with the Red Flags Rule?

The Rule applies to any institution considered a “creditor”. The FTC considers physicians who accept insurance or allow payment plans to be creditors and therefore subject to the Red Flags Rule. 

The FTC takes the position that physicians extend credit by allowing deferred payment until services are rendered and insurance is collected. The AMA does not believe the FTC interpretation is consistent with the intent or scope of the enabling legislation and is continuing efforts to avoid application of the Rule to physician practices.  Physician practices who accept insurance or allow payment plans are covered under the Red Flags Rule and must have adequate policies and procedures in place by
August 1, 2009, or they may face a penalty of up to $2,500 per knowing violation.

How does the Rule differ from HIPAA privacy and security rules?

HIPAA is intended to protect personal health information—PHI for security and privacy purposes. PHI as defined by HIPAA is covered by the Red Flags Rule but the Rule extends to other sensitive information:

1. Credit card information
2. SS#, EIN#
3. Insurance claim information
4. Background checks for employee and service providers

Compliance boils down to making sure your patients are who they say they are. Here are a few steps to get you started:

Check every patient’s ID. Before making a copy of the driver’s license or government-issued ID card, take a closer look and make sure the photo and information match your patient, and that it hasn’t expired. And if the address on the card doesn’t match the one the patient gave you, ask questions,.

Look out for suspicious activity. What if a patient gives you insurance information over the phone, but can’t produce the card in person? Or the medical record doesn’t match the information a patient gives.

Fine tune your system for interacting with patients remotely. If a patient calls to ask about her bill, ask for her driver’s license number, Consider having her sign and fax you a statement that you can compare with what you have on file.  

Separate clinical and financial information. Keep financial information secure by limiting staff access to sensitive financial patient information, such as the Social
Security and credit card numbers.

Set up a comprehensive program. Your Red Flags policy must show the procedures you’ve put in place to detect the red flags, describe how you prevent identity theft, and include details on how you’re training staff on the new procedures. It also must be approved by your Board of Directors and kept up to date to address new risks.

It’s smart to warn your patients of the changes, so they won’t forget to bring along the right information to their next appointment. Send a letter or postcard, and ask them to stop by the office any time to have their ID copied. Some patients may be frustrated by the new procedures, so be ready to put a positive spin on it by explaining that the new rule aims to protect their identity.

Ultimately, the Red Flag Rule will allow your practice to collect better information on your patients, which can mean more efficient billing and fewer denials from third party payers, Herrin says, adding, “And it all comes back to money.”

For more information visit:
www.ama-assn.org
or
www.physicianspractice.com