Healthcare providers have another six months to adopt programs that comply with the Federal Trade Commissions vaguely understood call for identity-theft prevention and detection, known as the red flags rule.
From providers perspective, the red-flags rollout has been like having to take a test for a class they didnt know they were enrolled in and not finding out until it was too late to study. The professor is going to be cool about it and postpone the test, but they still have to take it.
The rule, issued in November 2007 by the FTC, the federal banking regulatory agencies and the National Credit Union Administration, is directed at creditors and financial institutions as required by the Fair and Accurate Credit Transactions Act of 2003. It asks for written policies specifying red flags that might indicate identity theft and procedures to watch for and respond to them. Hospitals and physicians and their lawyers didnt realize until mid- to late summer that the FTC would consider most healthcare organizations to be creditors under the rule.
The FTC now plans to provide a compliance guide between now and May 1, 2009, the new enforcement deadline. Its our intent to try and clarify these issues people seem very anxious about, said Naomi Lefkovitz, a lawyer in the commissions Division of Privacy and Identity Protection.
A creditor, according to the rule and the FTCs interpretation of it, essentially is any organization that allows deferred payment for services, including when hospitals establish payment plans for patients unable to pay their bills or even when physician practices and hospitals collect billing information and copayments and then bill patients later for the balance they owe.
The American Medical Association in late September sent the FTC a letter, signed by 26 other physician organizations, strongly disagreeing that physician practices should have to comply. That would lead to the result that anyone issuing a bill or invoice for services rendered would, by definition, be a creditor, which we do not believe is the intent of the statutory and regulatory scheme, they argued. Lefkovitz declined to comment on the letter.
AMA Board Chairman Joseph Heyman, in a written statement, called the enforcement delay a step in the right direction. We will continue our work to educate the FTC as to why physicians are not creditors and thus should be exempt from red-flag rules, which will place an undue burden on physician practices, Heyman said.
One signatory to the AMAs letter was the Medical Group Management Association. Its the No. 1 question were getting, said Lisa Goldstein, a government affairs representative for the group, during its annual meeting in San Diego last week (See related story, p. 17).
Hospitals may have been similarly surprised and resistant to the notion to begin with, but their lawyers and associations, after conversations with FTC staff, concluded that its harder to argue the point because of the variety of financial arrangements hospitals typically have with patients.
Most hospitals have payment plans with patients; that puts them squarely within the rule, said Karen Smith, a partner in the law firm Bricker & Eckler in Columbus, Ohio, who helped put together a compliance guide for Ohio Hospital Association members. The resource has been sought by hospitals far beyond Ohio, she noted.
Lefkovitz stressed that the obligation is very flexible, a message she acknowledged has confounded rather than comforted a substantial number of providers. Certainly its our intent that nothing about the red-flags rule would impede any healthcare providers ability to provide healthcare services, she said.
The American Hospital Association and some state associations, including the Ohio association and the Georgia Hospital Association, have worked with outside counsel to help members understand whats expected of them. The Georgia association as of late last week had signed up 250 hospitals from all over the country to participate in an online seminar on the topic.
A lot of the things the rule suggests you should be doing would be just good business practices and consistent with protecting your patient accounts and relationships with patients, said Lawrence Hughes, the AHAs assistant general counsel. Hospitals have been doing that for a long time.
Smith echoed that sentiment, and also said, I think if you really want to be effective, you have to sit down with a committee of the appropriate people in the hospital and think about entry points where identity theft can occur.
Staff members, Smith said, likely have their own red flags that are consistent with the generic examples the FTC provided in a supplement to the rule published in the Federal Register. Employees might recognize the usual suspects who come back to the hospital periodically, usually attempting to get drugs, and claim different names and Social Security numbers. Staff might notice a companion refer to a patient by a different name than the one given to the hospital. Billing staff might get a call from a patient questioning a bill for a service never performed.
Heidi Echols, a partner in the law firm McDermott Will & Emery who has led the firms efforts to educate clients on the topic, suggested that hospitals start by reviewing their privacy policies already in place under the Health Insurance Portability and Accountability Act of 1996, as well as those existing but unwritten proceduresthen fill in the gaps.