What is the Red Flag Rule?
The Red Flag Rule requires creditors to develop and implement a written identity theft prevention and detection program. The Federal Trade Commission has determined that, because physicians accept insurance and/or allow payment plans, you are a creditor and subject to the Red Flag Rule.
The compliance date for this rule was postponed several times, with the original deadline of May 1, then August 1, 2009. June 1, 2010 is the latest planned date for compliance. The delays provided additional time to prepare and implement a program.
This rule is very beneficial to physicians Someone may steal a patient's identity (name, insurance card) for the purposes of securing medical care or purchasing medical supplies. The false identity could lead to contradictory, inaccurate medical records. Claims filed under these circumstances would be false claims.
Where can I find information to assist in developing a plan?
FTC's publication, Fighting Fraud with the Red Flag Rules: A How-To Guide for Business is available on its website at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf. The FTC guide indicates that your program must include four basic elements to address the possibility of identity theft:
• Policies. Begin by establishing reasonable policies to identify the red flags of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft.
• Procedures. Establish procedures to detect the red flags you have identified.
• Actions. Spell out appropriate actions you'll take when you detect red flags.
• Periodic Re-evaluation. Because identity theft is an ever-changing threat, address how you will re-evaluate your program periodically to reflect new risks from this crime.
Will there be penalties for noncompliance?
Yes. Civil monetary penalties, but not criminal penalties, apply for failure to comply. There have also been changes to the privacy or security rules required by HIPAA. Early this year, President Obama signed the American Recovery and Reinvestment Act, which, among other things, enhances the privacy and security of protected health information.
In April 2009, the Department of Health and Human Services and the FTC issued guidance on notification of breaches involving PHI.
What constitutes a security breach of PHI?
A breach of security is an unauthorized acquisition, access, use or disclosure of unsecured PHI in any form, paper or electronic. Unsecured PHI means a health record that is not secured through the use of a technology or methodology specified by the Secretary of HHS. PHI is secure if it is rendered unusable, unreadable or indecipherable to unauthorized individuals by encryption or destruction.
There is also the HHS' Breach Notification Rule to consider. Public and private notification is required in the Breach Notification Rule without unreasonable delay within 60 days after discovery of a breach of security. This includes notifying the affected individual(s), media where more than 500 individuals are affected and HHS.
The notification includes: A brief description of what happened, including the date of the breach and the date of the discovery of the breach; a description of the types of unsecured PHI that were involved in the breach; the steps an individual should take to protect against potential harm resulting from the breach; a brief description of what the covered entity is doing to investigate the breach, to mitigate losses and to protect against any further breaches; and contact procedures for individuals to ask questions or learn additional information.
Compliance was required by mid-September 2009 following issuance of the final Breach Notification regulations. There are significant criminal penalties for wrongful disclosure of individually identifiable information. Steps necessary for compliance include: updating your HIPAA compliance plan; creating and testing an incident response and notification plan for unsecured PHI; considering encryption and de-identification; and instituting a document destruction program, which can be can easily be accomplished by engaging a company to shred documents with PHI.
What compliance changes may apply to my practice?
Yes. If you participate in a Medicare Advantage plan, the Centers for Medicare & Medicaid Services requires that all providers and staff complete fraud, waste and abuse training. Training is required no later than December 31, 2009 and repeated annually. The purpose of the training is to assist practices with identification of FWA and development of internal policies and procedures to find and fight abuse.
Some advantage plans offer an on-line training program that provides an attestation that you have completed this task. Providers will likely be asked to prove to the plan that the training has been completed. For additional information on FWA training, contact the advantage plans with which you participate.
Ms. McCune is vice pres-ident of the Cor-coran Con-sult-ing Group. Con-tact her at DMcCune@corcoranccg.com.
