Practice Management & Allied Staff News & Materials
Practice Management Matters - Nov/Dec 2008
December 9th, 2008
Question: What are the "red flag" rules and how may they affect my practice?
Answer: The Federal Trade Commission, along with the Office of the Comptroller of the Currency (OCC), FDIC, Federal Reserve and various other federal agencies, have issued a set of rules and guidelines regarding identity theft. These new "red flag" rules and guidelines mandate that all financial institutions and creditors develop and implement an identity theft prevention program designed to detect, prevent, and mitigate the effects of identity theft by May 1, 2009. The new rules apply to an extremely broad range of businesses that offer certain "covered accounts" to consumers, including any other person or entity that regularly extends, renews or arranges for the continuation of credit to its customers. Under the rules, the definition of "covered account" will encompass any consumer account that permits multiple payments or transactions, or any other account that may pose a reasonably foreseeable risk to consumers or businesses from identity theft. This category may include many healthcare providers given the common post-services payment they receive for healthcare services.
The rules require that all covered entities develop and implement a written compliance program that includes each of the following four basic elements: (1) the identification of red flags, (2) the detection of such red flags, (3) an appropriate response to any such detection, and (4) the periodic review and updating of the overall program. In addition to the inclusion of these elements, each program must be specifically tailored to the size, nature and complexity of the applicable business and should consider trends in the marketplace along with any historical experiences dealing with identity theft. Upon development, each program must be formally authorized and adopted by the entity's governing body or senior management, and such body or persons are required to provide ongoing administrative oversight of the program's implementation, which includes staff training, audit compliance, and the generation of annual assessment reports.
The majority of affected persons and entities will fall under the regulatory wing of the FTC. Accordingly, in the event of any knowing violation of the rules, the statute provides that the FTC may commence a civil action with respect to any violation and may seek pecuniary penalties not to exceed $2,500 per infraction. In addition to the prescribed regulatory enforcement actions, any failure to comply with the rules can also serve as the basis for private civil and/or class action lawsuits.
This answer was adapted from the Arnall Golden Gregory LLP "Healthcare Authority Newsletter," August 13, 2008. For more information, please visit www.agg.com or contact Matthew V. Wilson at 404/873-8551.
Ed. Note: In late September several national medical associations sent a letter to the FTC requesting a detailed explanation and legal basis for why the red flag rules may affect certain healthcare professionals and their patients. Also, in late October the FTC announced the new 'Red Flags' rule enforcement will be delayed to May 1, 2009.
Question: What steps can we implement at our office to protect our patients from medical identity theft?
Answer: According to the Federal Trade Commission, medical identity theft accounts for 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005. Aside from implementing office polices and staff training to protect patients' medical records from identity theft, it is crucial to educate your patients on ways they can protect themselves. Healthcare professionals can assist victims of identity theft by giving them a copy of the checklist below, published by the American Health Information Management Association (AHIMA) in the January 2008 Journal of AHIMA and downloadable from www.ahima.org.
This checklist includes contact information for appropriate agencies patients can contact. Some of the items on the checklist include:
"Tools for Victims" provided by the Federal Trade Commission;
Contact the Social Security Administration's fraud hotline at 800/269-0721 if a social security number is suspected of being used inappropriately;
Contact the US Postal Service at 800/275-8777 to obtain the number of the local US Postal Inspector in the case of stolen or misdirected mail;
Contact the US Department of State at 877/487-2778 or travel.state.gov for stolen passports;
Contact both check verification companies Telecheck 800/366-2425 and the international Check Services Company 800/526-5380 to place a fraud alert on the account if the thief has stolen checks;
Contact the health information manager or the privacy officer at the provider organization or the antifraud hotline at the health plan where the medical identity theft appears to have occurred and request an accounting of disclosures. If the provider or plan refuses access to medical records, file a complaint with the Office for Civil Rights at Health and Human Services at 866/627-7748 or www.hhs.gov/ocr/privacyhowtofile.htm;
File a complaint with the Identity Theft Data Clearinghouse, operated by the Federal Trade Commission and the Internet Crime Complaint Center. Information available for filing a complaint can be found online; and
Contact the Department of Health and Human Services at 800/368-1019 or by visiting the Web site at www.hhs.gov/ocr for suspected Medicare or Medicaid fraud.
This answer was adapted from AHIMA e-HIM Work Group on Medical Identity Theft. "Mitigating Medical Identity Theft." Journal of AHIMA 79, no.7 (July 2008): 63-69. Additionally, the Data Breach Investigation and Mitigation Checklist" published in the Journal of AHIMA 79, no.1 (January 2008): 67-68 (available online) offers organizations guidance on the steps they should take to address medical identity theft.
All quoted material copyright ©2008 by the American Health Information Management Association. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, photocopying, recording or otherwise without prior permission from the publisher.