Enforcement of the Federal Trade Commission's "Red Flags Rule" begins Nov. 1. Is your practice ready?
National Report-Health care providers, including urologists, are being drafted into the battle against identity theft.
On Nov. 1, the Federal Trade Commission is scheduled to begin enforcing a rule requiring certain kinds of businesses, including physicians’ practices and hospitals, to develop written plans for identifying and responding to warning signs-red flags-of identity theft. And while many health care providers view the “Red Flags Rule” as another time-consuming, expensive federal mandate they have to follow, urologists who have prepared for it say it need not be either.
More than 8.3 million Americans are victims of identity theft each year, of which the FTC estimates 4.5%, or 373,000, experience medical identity theft-someone pretending to be another person in order to use that person’s health insurance.
Steven Kern, a partner in the law firm Kern Augustine Conroy & Schoppmann P.C. in Bridgewater, NJ, explains that compliance with the rule requires a program that will identify and detect relevant red flags, and mitigate the consequences of identity theft if it does occur. In addition, red flags programs must be updated periodically and be approved by the business’s board of directors, shareholders or-as is the case with most medical practices-senior partner. Businesses found not complying with the rule could face fines or other civil penalties.
The rule was initially scheduled to go into effect on Nov. 1, 2008, but has been postponed several times. The previous implementation date was supposed to be Aug. 1, 2009.
Warning signs of identity theft
The FTC, in its guidelines for complying with the rule, lays out four general categories of warning signs of identity theft. These are: alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious forms of personal identification; and notifications from customers, victims of identity theft, or law enforcement authorities about possible identity theft.
The commission’s recommended steps for preventing or mitigating theft include increased monitoring of customer accounts and account numbers to prevent misuse, contacting the payer or law enforcement agencies if theft is suspected, tightening database security, or a combination of these steps.
Naomi Lefkovitz, an attorney in the FTC’s division of privacy and identity protection, says businesses do not need to submit their plans to the commission. "If we are called in to investigate a case of identity theft, at that point we would probably ask to see the written program," she explained.
Tom Hall, chief executive officer of Urology Associates of North Texas in the Dallas-Fort Worth area, says he used a package of guidelines prepared by AUA to prepare employees of his 50-physician practice to comply with the rule.
"It didn’t require us to do anything significantly different because we already go through so many steps with insurance verification," Hall said. "For the Red Flags Rule, we basically just had to start asking for a photo identification in addition."
North Texas began complying with the Red Flags Rule in July. Hall says since then there have been scattered instances of patients refusing to show photo identification.
"If that happens, our guidelines call for asking for payment in full at the time of service. We won’t bill insurance or otherwise become a creditor for them," he said.
Hall says he and other members of the senior management team conducted training at the practice’s 22 offices.
"For us the training was pretty limited in nature because the additional procedures were limited," he explained. "We just handed out written versions of the new policies and went over them with members of the staff."
Hall and other North Texas staff members initially feared that complying with the rule would require a lot of extra work.
"Obviously that’s the initial reaction any time a new regulation comes out, of how disruptive it will be. That’s where the AUA tool was invaluable, because it helped us see exactly what would be required," he pointed out.
Anjali Baxi, an attorney with Health Care Law Associates law firm in Plymouth Meeting, PA, notes that improved patient care is among the benefits of reducing identity theft.
"If someone comes in to a doctor pretending to be someone else and is treated for a disease the true patient never had, and later on the true patient is treated for something, it could pose a real problem in terms of the treatment the true patient receives," Baxi said.
Medical societies protest rule
Under the leadership of the American Medical Association, more than two dozen medical societies, including AUA, have protested the FTC’s decision to apply the Red Flags Rule to medical practices and other health care providers.
"Our position has consistently been that we don’t think physicians are creditors, because they do not electively defer payment," said Rick Rutherford, director of practice management at AUA. "It’s simply the fact that most health insurance contracts require that payments not be made until the claim is processed. But unless and until the FTC decides to change the rules, our recommendation to our members is to comply with it because there are some fairly significant penalties involved for non-compliance."
Along with assembling a "how-to" guide for implementing the rule, AUA has been communicating with members about the rule using e-mail updates and through its monthly publication, Health Policy Briefs.
"When we give talks around the country, we always try to mention it, as a word of warning that the deadline is approaching," said Rutherford. "Most of the places where I’ve spoken the last few months, the reaction I get is, 'Yeah, we’re ready to go.'"
Rutherford believes that despite three previous postponements, the FTC will begin enforcing the rule Nov. 1.
"This process is not unusual. We went through something similar with the Health Insurance Portability and Accountability regulations," he recalled. "As the deadline approached and agencies got feedback from the medical societies that their members weren’t ready, they postponed the requirements. But in every case, they eventually said ‘this is it, we’re going ahead.’ And I suspect the Nov. 1 deadline is the final one for Red Flags."