FTC Delays Enforcement of the 'Red Flag's' Rule Until November 1, 2009

Posted on August 4, 2009 by Ilana Sable

On July 29, 2009, the Federal Trade Commission ("FTC") announced that it would redouble its efforts to educate small business (including most health care providers) about compliance with the "Red Flags" Rule by providing additional resources and guidance to clarify whether businesses are covered by the Rule, and what they must do to comply. In the spirit of this effort, the FTC has decided to further delay enforcement of the Rule until November 1, 2009.   

I suspect that many health care providers subject to the Red Flag's Rule would not have been in compliance on the original August 1, 2009 enforcement date, and therefore still need to put together a compliance program.  The good news is that compliance is relatively easy and will take very little time to complete.  I recommend reviewing the FTC's newly added Red Flag's Rule: "Frequently Asked Questions" section to determine if your business is subject to compliance under the Rule.  If so, see the FTC's compliance template (pdf) for businesses at low risk for identity theft.  It is short, straightforward and simple to use.

Tags: , ,

Guidance on Preparing for Implementation of the Red Flags Rule

Posted on June 23, 2009 by Ilana Sable

The FTC has posted a compliance template (pdf) for businesses at low risk for identity theft, such as most health care providers.  The template allows business owners to design their own Identity Theft Prevention Program in accordance with the FTC Red Flags Rule, and consists of two relatively easy to use parts. 

Part A helps users determine if their business is at low risk, and Part B helps users design a written Identity Theft Prevention Program if their business is in a low risk category.

However, like any other compliance regulation, the purpose of the Red Flags Rule is not to inflict more paperwork on affected businesses; its purpose is to foster meaningful use of effective identity theft prevention programs.  At minimum, health care providers must actually adhere to the programs that they develop, and train their employees accordingly.

Remember, the implementation date for the Red Flags Rule is August 1, 2009!
 

Tags: , ,

A Primer on the FTC Red Flags Rule

Posted on June 1, 2009 by Ilana Sable

The “Red Flags” Rule, enforced by the Federal Trade Commission (“FTC”), requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.

The Red Flags Rule applies to financial institutions and creditors. The determination of whether your business or organization is covered by the Red Flags Rule is not based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Health care providers are among the entities that may fall within this definition, depending on how and when they collect payment for their services.

For instance, health care providers become third party creditors, like credit card companies, when they extend their services (give value) to patients and then wait to receive payment from their patients’ health insurance carriers. While the health care provider is waiting to receive payment, he or she has “credited” the service to the patient with the expectation of reimbursement from the insurer at some future time.

Another example is health care providers who offer payment plans to their patients. This is often the case with very expensive, and frequently uninsured, dental work, where the health care provider offers the patient a payment plan that the patient pays off over the course of the treatment. Again, the health care provider credits the patient with the service and waits for full reimbursement from the patient.

On April 30, 2009, the FTC announced that it is postponing implementation of its Red Flags Rule until August 1, 2009. For more information of the Red Flags rule – and how it applied to your practice – please see the FTC’s guide on Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (pdf).
 

Tags: ,

Provider Compliance Programs: Every Private Medical Practice Should Have One

Posted on April 19, 2009 by Ilana Sable

This post goes out to all those private medical practices that are under the impression that they are too small or too insignificant to draft and implement a comprehensive compliance program. You know who you are.

What are you doing to protect your patients medical records from inappropriate examination or theft? How do you ensure that your practice is consistently billing and coding “clean claims”? How will your prove that your employees are trained in handling protected health information?

Auditors, attorneys and inspectors will not be amused when they ask to see your compliance manual and you, in turn, point to the “employees only” sign on your wall.  Every single private medical practice is subject to the rules and regulations of powerhouses such as HIPAA, and is thereby encouraged to have a formal corporate compliance program. And I am not talking about a 1,000 page binder that would take an entire week to read. To the contrary, a comprehensive compliance program consists of seven fundamental elements:

  1. Implement written policies, procedures and standards of conduct
  2. Designate a compliance officer to be responsible for execution of the compliance program
  3. Conduct effective and consistent employee training and education
  4. Develop lines of communication for employees, patients and private citizens
  5. Enforce compliance standards through well-publicized disciplinary guidelines
  6. Conduct regular internal monitoring and auditing
  7. Respond promptly to detected offenses and develop a strategy for corrective action

The trick is to take these seven elements, transform them into a simple set of written guidelines that are tailored to meet the needs of the individual practice, and then incorporate them into the practice's daily routine.

Tags: , , ,