Web Exclusive: Red Flags Rule implementation delayed
Further action needed to exempt physicians from regulations
By Sheila Madhani, assistant director of health policy
On May 28, 2010, the Federal Trade Commission (FTC) said it will push back the Red Flags Rule implementation deadline to December 31, 2010. The rule requires creditors and financial institutions to develop and implement written identity theft programs to help identify, detect and respond to patterns and practices or specific activities known as “red flags” that could indicate identity theft. This rule is of interest to physicians because the FTC has classified physicians as creditors because they do not always receive payment in full from their patients at the time of treatment.
If implemented, medical practices would be required to have reasonable procedures in place to protect against identity theft. The definition of reasonable would vary by practice and relate to the level of risk of identity theft at the practice. It is anticipated that anti-identity theft procedures would be coordinated in some fashion with a practice’s HIPAA procedures.
Public scrutiny causes multiple delays of Red Flags Rule
The FTC originally issued the Red Flags Rule on November 9, 2007. The rule is a section of the Fair and Accurate Credit and Transactions Act, a federal law requiring the establishment of guidelines for financial institutions and creditors regarding identity theft. The FTC has voted several times to delay implementation of the Red Flags Rule after concern expressed by members of Congress and the health care provider community on the economic burden the rule would impose on individual medical practices. The physician community has been fighting the inclusion of physicians under the definition of creditors since the rule was first published. In May 2010, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a suit against the FTC. The legal and accounting communities have also protested their inclusion as creditors under this rule.
Legislative fix in the works
On May 25, 2010, Sens. John Thune (R-S.D.) and Mark Begich (D-Ark.) introduced S. 3416, which amends the Fair Credit Reporting Act. The bill would exempt small businesses from the FTC’s Red Flags Rule. As it relates to physicians, a small business would be a medical practice of 20 employees or fewer. If this legislation passes as currently drafted, the Red Flags Rule would still apply to practices with more than 20 employees. The bill has been referred to the Senate Banking, Housing and Urban Affairs Committee. Text from the current legislation is available online. A similar bill, H.R. 3763, passed the U.S. House last year on a 400-0 vote.
Guidance from FTC
While the exact future of this rule as it applies to the physician community remains unclear, ASTRO recommends members familiarize themselves with this issue. The FTC released a statement for health care providers on what they need to know about complying with the new requirements and how to determine if the rule applies to them. Providers who regularly bill patients after the completion of service, including for the remainder of medical fees not reimbursed by insurance, or who allow patients to set up payment plans are considered creditors. If you are covered by the rule, your program against identity theft must:
- Identify the kinds of red flags that are relevant to your practice.
- Explain your process for detecting them.
- Describe how you’ll respond to red flags to prevent and mitigate identity theft.
- Spell out how you’ll keep your program current.
The complete statement is available online at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.
ASTRO will continue to monitor this issue and inform the membership of any updates.