FTC Issues New Red Flag Rules Requirements

The Federal Trade Commission (FTC) has issued new Red Flag Rules that
require financial institutions and creditors to develop a written identity
theft protection program that detects possible patient or customer identity
theft by Dec. 31, according to the FTC.

“It is an additional protection mechanism for customers,”
Wendy Miller, BOC, facility accreditation director,
BOC International, explained to O&P Business
. “Where gHIPAA protects confidentiality of a patient’s
medical information, the Red Flag Rules protect personal financial information.
Every health care provider must review its billing and payment procedures to
determine if it is covered by these rules.”

  Wendy Miller
  Wendy Miller

According to Miller, a provider is a creditor if you:

  • Regularly bill patients after the completion of services, including
    the copayment or other remainders of medical fees not reimbursed through
  • Regularly allow patients to set up payment plans after services have
    been rendered or goods have been provided; or
  • Help patients obtain credit from other sources, such as distributing
    and processing applications tailored to the health care industry.

The FTC defined a covered account as an account used for personal,
family or household purposes. Covered accounts are consumer accounts that allow
multiple payments or any other transaction with a reasonably foreseeable risk
of identity theft, according to Miller. The accounts practitioners open and
maintain for their patients are generally considered covered accounts.

O&P and pedorthic practices must develop a written Identity Theft
Protection Program because they are providers who are considered creditors with
covered accounts.

  © 2010 iStockphoto.com/Peter

“As providers of orthotics, prosthetics and pedorthics, it is
common to obtain and maintain insurance information for patients,” Miller
said. “Most providers have billing practices and/or procedures that allow
patients to pay deductibles and/or co-pays after the provider has billed the
insurance company. This would mean that the practice or organization is a
creditor with covered accounts.”

The FTC provided guidelines to assist those who are developing their
identity theft program. Miller recommended that O&P organization leaders
designate an individual or committee to implement and oversee the program.

According to the FTC, all plans should be written and designed to
detect, prevent and mitigate identity theft in connection with opening a
covered account or current covered account and be of appropriate size for the
practice and scope of activities.

Identity theft is a major concern for many customer-centric industries
including O&P.

“The Red Flag Rules has been implemented to improve the current
business practice, as it demonstrates an organization’s intent to protect
their clients’ information,” Miller said.

According to Miller, a few extra steps or precautions are necessary to
comply with the rule. They would include:

  • Patient identity verification and authentication; or
  • Authentication of insurance information; or
  • Verification of medical history; or
  • Confirmation of address change; or
  • Patient education and awareness of identity theft.

“In the spring, I spoke at Essentially Women on the Red Flag Rules
and the audience was engaged and eager to learn how to spot and prevent
identity theft,” Miller said. “They were also concerned with how they
would be able to quickly implement a plan.”

Miller acknowledged that most business owners have found it challenging
to keep up with the changing federal regulations while also running a
successful practice. The FTC has been trying to enforce the Red Flag Rules
since 2008. The enforcement date was moved from Nov. 1, 2008 to June 1 of this
year, before being further delayed to Dec. 31.

“To me, a practitioner’s focus is on patient care, not on
keeping up with regulatory changes,” she said. “To help practitioners
maintain this focus, I believe it is the duty of professional organizations and
certification boards to inform their stakeholders of regulations that may
affect them personally and professionally.”

Miller also reiterated that membership, certification and accrediting
bodies are always available to answer questions regarding new legislation or
implementation details.

“Business owners and organizational leaders should also attend
their professional organization’s conferences, as this is where they can
become educated on changes within the industry,” she said. — by
Anthony Calabro


The Red Flag Rules are far reaching and tie into the new HIPAA and
HITECH rules that have been in effect since February 17. The Red Flag Rules
policies and procedures must be in place by December 31. After Jan. 1, 2011,
the enforcement will be complaint or breach driven.

If a creditor or patient suspects the facility has breached the personal
identity of a patient, the FTC’s enforcement arm takes over. Facilities
without a Red Flag Program will be subject to large fines and punitive damages.
Additionally, any breach of personal identity information is an unauthorized
disclosure of protected health information which violates the HIPAA statutes
and can result in fines up to $1.5 million dollars.

Each health care facility must have Red Flag Rules identity theft
protection and new HIPAA compliance policies and procedures manuals. Without
these manuals, the facility risks their ability to operate if an improper
disclosure occurs, intentionally or unintentionally.

— Jeff Hedges
President, R.J. Hedges &

Leave a Reply

Your email address will not be published.