Red Flag Rules FAQ
- What are the Red Flag Rules?
- When will the FTC begin enforcement of the Red Flags Rule?
- How are healthcare providers considered creditors?
- What is a "covered account"?
- What do the Red Flag Rules Require?
- What are the penalties?
- What resources does AAOMS have available to help us with compliance?
The information provided to you is intended for educational purposes only. In no event shall AAOMS be liable for any decision made or action taken or not taken by you or anyone else in reliance on the information provided. For legal or other professional advice, you need to consult your own professional advisers.
What are the Red Flag Rules?
The Federal Trade Commission, along with the Office of the Comptroller of the Currency (OCC), FDIC, Federal Reserve and various other federal agencies, have issued a set of rules and guidelines regarding identity theft. These new "red flag" rules and guidelines mandate that all financial institutions and "creditors" develop and implement an identity theft prevention program designed to detect, prevent, and mitigate the effects of identity theft by November 1, 2009. The new rules apply to an extremely broad range of businesses that offer certain "covered accounts" to consumers, including any other person or entity that regularly extends, renews or arranges for the continuation of credit to its customers.
When will the FTC begin enforcement of the Red Flags Rule?
The FTC announced in May 2010 an extension of the Red Flags Rule enforcement date from June 1, 2010 to January 1, 2011. On December 7, 2010 Congress had voted to exclude most physicians and dentists from the rule, thanks to the advocacy efforts of several physician led coalitions. The latest rule is awaiting signature by the President. Although many practices have already instituted their identify theft policy in order to achieve compliance by the previous deadline, the AAOMS still considers implementing such identity theft prevention measures good business practice.
How are healthcare providers considered creditors?
Most providers will likely fall under the definition of a creditor because they generally do not collect payment at the time a service is rendered and often hold off billing patients in full. It doesn't matter if you're for profit or nonprofit, large or small, the FTC says the rules apply if you:
- Regularly extend, renew or continue credit to patients, or arrange for someone else to do so;
- Send bills to patients for services after they've left your office or facility;
- Bill a private payer for the services, but the patient is ultimately responsible for the bill if the payer doesn't pay you the amount you're entitled to;
- Bill and collect copayments and deductibles after treating the member, even if you can't bill the member for any covered services.
It's less likely that the rules would apply if you collect all payments up front or look only to the payer for any additional reimbursement. The rules also don't apply merely if you accept credit cards, because that's not deferred payment, but such routine practices as setting up a payment plan or billing an insurance company before charging the patient likely do.
What is a "covered account"?
Under the rules, the definition of "covered account" will encompass any consumer account that permits multiple payments or transactions, or any other account that may pose a reasonably foreseeable risk to consumers or businesses from identity theft. This category may include many healthcare providers given the common post-services payment they receive for healthcare services.
What do the Red Flag Rules Require?
The rules require that all covered entities develop and implement a written compliance program that includes each of the following four basic elements: (1) the identification of red flags, (2) the detection of such red flags, (3) an appropriate response to any such detection, and (4) the periodic review and updating of the overall program. In addition to the inclusion of these elements, each program must be specifically tailored to the size, nature and complexity of the applicable business and should consider trends in the marketplace along with any historical experiences dealing with identity theft. Upon development, each program must be formally authorized and adopted by the entity's governing body or senior management, and such body or persons are required to provide ongoing administrative oversight of the program's implementation, which includes staff training, audit compliance, and the generation of annual assessment reports.
What are the penalties?
The majority of affected persons and entities will fall under the regulatory wing of the FTC. Accordingly, in the event of any knowing violation of the rules, the statute provides that the FTC may commence a civil action with respect to any violation and may seek pecuniary penalties not to exceed $2,500 per infraction. In addition to the prescribed regulatory enforcement actions, any failure to comply with the rules can also serve as the basis for private civil and/or class action lawsuits.
What resources does AAOMS have available to help us with compliance?
The AAOMS will continue to monitor activities surrounding this rule and will inform the membership via the Advocacy E-Newsletter, AAOMS Today, and website. The AAOMS held a Webinar, "How the Red Flag Rules Impact Your Practice" to help you determine whether you need to comply with the Red Flag Rule. If you missed this informative session, an audio CD of the event is available. Also available on the AAOMS E-Store is a compliance manual and template "Red Flag (Identity Theft) Prevention Program & Training Module" to assist all OMS' with implementing a compliance plan protecting their patient's identity and medical information. Furthermore, a checklist to assist you further can be found here. Please dial extension #4339 or e-mail firstname.lastname@example.org with any questions.