Red Flag Rule Enforcement Buys More Time for Providers
- By admin aapc
- In Compliance
- November 17, 2008
- Comments Off on Red Flag Rule Enforcement Buys More Time for Providers
The Federal Trade Commission (FTC) will suspend enforcement of the new Red Flags Rule until May 1, 2009. This gives financial institutions and creditors (as well as medical practices) additional time to implement written identity theft prevention programs. The Enforcement Policy Statement release does not affect other federal agencies’ enforcement of the original Nov. 1 deadline for institutions subject to compliance.
Under the Red Flags Rule, which was prompted by Fair and Accurate Credit Transactions (FACT) Act of 2003, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or activities indicating identity theft.
What does this mean for health care providers? According to Erin S. Whaley, JD, MA, associate at Troutman Sanders, LLP, “The Red Flags Rule requires health care providers and all others who regularly defer payment for service to put in place a program for preventing identity theft. These programs will require providers and their staff to be more vigilant about identifying ‘red flags’ that may indicate potential identify theft. Initially, development and implementation of Red Flags programs will require health care providers to designate a Red Flags manager, conduct a risk assessment, develop a program, and seek approval from their boards of directors. Completing these activities will require a significant effort on the part of the providers, especially with respect to obtaining board approval. Typically, a board of director’s meeting has a very full agenda and, often, the board does not address these types of issues. To comply with the Red Flags Rule, however, boards of directors will have to modify their mindsets and become involved in the Red Flags programs. After the initial implementation effort, a Red Flags program will probably not have a material impact on the day-to-day operations of the provider, but the provider will be required to comply with the program, maintain it, and provide periodic updates to the board.”
For more information about the Red Flag Rule, go to the FTC Web site.
- Healthcare in Australia - September 1, 2023
- Get Ready for CMS-HCC V28 - June 30, 2023
- Do You Have a Documentation Emergency? - April 3, 2023
I’m confused…wouldn’t these kinds of things be flagged/covered by normal HIPAA compliance? Also, the descriptions of who falls under the “Red Flag Requirements” is actually worded like this: “…non-profit and government entities that defer payment for goods or services.”
That reads to me like this would NOT include healthcare providers. Physicians are not ‘non-profit’ and altho they do generally defer payment for serices, aren’t usually ‘government entities.’
Or am I just reading this all wrong?
HIPAA covers patient privacy while this is meant to safeguard against patient’s identity which might impact patient’s credit and finances.
HIPAA has so many moving parts in the document itself that it is very inclusive of many things, but in a very vague way. To say that HIPAA covers or doesn’t cover the Red Flag issues is a little too certain for that act. I would say that if your provider accepts partial payments form individuals, say ASC providers and surgeons, then watch Red Flag closely. If your provider is primary care, or copay/coinsurances are the things you collect in full at visits or your payments are made through outside collections, then your provider should be safe.
But that’s just how I read the thing. I also teach in a college and we have had to implement this for students on financial aid plans like loans, but those with cash payments are less likely to be affected.