ATLANTA — Just when you thought you had all the newest rules and regulations under control, it's time to make sure you're ready for the FTC's "Red Flags Rule" on identity theft. The full text of the rule, which includes guidelines for developing an identity theft program (beginning on page 63773), is available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. To gain a better understanding of its legal requirements, HomeCare asked health care attorney Jeff Baird, chairman of the Health Care Group at Brown & Fortunato, to explain the Red Flags Rule. His Q&A on the basics of the rule, which has a compliance date of May 1, follows:
Q: What is the Red Flags Rule?
A: The Red Flags Rule is a set of regulatory provisions regarding the prevention and mitigation of identity theft, including medical identity theft. Section 114 of the Fair and Accurate Credit Transactions Act of 2003 amended the Fair Credit Reporting Act of 1970 to require federal bank regulatory agencies, the National Credit Union Administration and the Federal Trade Commission to jointly develop rules and guidelines regarding identity theft. The final Red Flags Rule was published Nov. 9, 2007, and initially required a compliance date of Nov. 1, 2008. The compliance date was subsequently delayed to May 1, 2009. This means that the Red Flags Rule is effective right now.
Q: Is the Red Flags Rule applicable to HME suppliers?
A: Yes, the Red Flags Rule applies to most, if not all, HME suppliers. The Red Flags Rule applies to "financial institutions" and "creditors" that maintain "covered accounts." The American Medical Association argued that a health care provider is not a "creditor" under the rule. However, the FTC considers a creditor to be any entity that regularly defers payment for goods and services. In other words, a health care provider that bills patients after services are rendered or that bills third-party payers for services rendered to patients is a creditor under the rule. A health care provider that requires payment before or at the time of service is not a creditor.
A "covered account" is a consumer account that allows multiple payments or transactions, or has a reasonably foreseeable risk of identity theft. The FTC takes the position that patient accounts are generally covered accounts under the rule.
Q: What are the basic requirements of the Red Flags Rule?
A: Entities subject to the Red Flags Rule are required to develop a written identity theft prevention program to spot warning signs, or "red flags," of identity theft. The program must include reasonable policies and procedures that address four basic elements.
First, the program must have policies and procedures to identify red flags during the day-to-day operation of the business. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if the patient must show some form of identification during intake, then an identification card that looks fake would be a red flag.
Second, the program must have policies and procedures to detect the red flags that have been identified. Continuing the above example, if a fake ID is a red flag, then the program must have policies and procedures in place to detect fake IDs. Third, the program must specify the steps the HME supplier will take when a red flag is detected. The steps should be designed to prevent and mitigate any harm from the detected red flag. In our example, the program would need to specify what actions the HME supplier will take when it determines that a patient has presented fake ID to law enforcement.
Finally, the program must specify how the HME supplier will re-evaluate the program to address new or changing risks of identity theft. For example, the program may specify that it is reviewed and updated annually, and reviewed at any time if the supplier is made aware of a new risk (such as a new method) of identity theft.
The initial program must be approved by the HME supplier's board of directors (or a committee of the board), or, if the supplier does not have a board, a senior-level employee. Either the board of directors or a designated employee (at the level of senior management) must be involved in the oversight, development, implementation and administration of the program.
The program must provide for training to staff as necessary. If the HME supplier has subcontractors to perform parts of its operation that would be covered by the Red Flags Rule, such as billing, then the program must include policies and procedures for monitoring the subcontractor's compliance with the program and the Red Flags Rule. The Red Flags Rule includes an appendix that contains guidelines for developing and administering the program.
Q: What are some examples of red flags for HME suppliers?
A: There is no standard list of red flags for health care providers through the guidelines in the Appendix to the Red Flags Rule. However, the FTC has provided the following red flags as potentially relevant to health care providers:
- Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient.
- Suspicious personally identifying information. If a patient gives you information that doesn't match what you've learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date or Social Security number that doesn't match information on file or from the insurer, fraud could be afoot.
- Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn't get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.
- Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.
Q: How will the Red Flags Rule be enforced?
A: The Federal Trade Commission is generally responsible for enforcing the Red Flags Rule. There are no criminal penalties for failing to comply with the Red Flags Rule. However, the Federal Trade Commission may seek a civil penalty of not more than $2,500 per violation. The statute also allows consumers (i.e., patients) to recover damages and attorneys fees, and the court may also impose punitive damages.
In addition, for HME suppliers enrolled in Medicare, a violation of the Red Flags Rule could also form the basis of a violation of the DMEPOS Supplier Standards, which requires, among other things, that a supplier operates its business and furnishes Medicare-covered items in compliance with all applicable federal and state licensure and regulatory requirements.
Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, P.C., a law firm based in Amarillo, Texas. He represents pharmacies, infusion companies, home medical equipment companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization. He can be reached at 806/345-6320 or jbaird@bf-law.com.