 |
- Home
- Clinical Perspectives
- Business Perspectives
- Patient Care
- Learning
- Community
- Products
- Careers
- About Us
What the "Red Flags Rule" means for you
By rule, any medical practice that extends, renews, or continues credit for a patient—i.e., one that bills patients for services rendered—is subject to the "Red Flags Rule," regardless of whether you first bill an insurance carrier. The rule takes effect May 1, 2009. In order to comply, you must develop a written program that allows you to identify relevant red flags, detect red flags as they occur, and prevent and mitigate identity theft. In addition, you should be able to update your program periodically. Your program, which can be created with the help of your legal adviser, must spell out how your red flags plan will be administered, and must be appropriate to the size and complexity of your practice. (For a template that can assist your practice in developing its identify-theft prevention program, go to http://www.drlaw.com/publications/Red_Flag_Rules_Template1.pdf.)The following guide may be helpful in establishing your own system: What is a "red flag"? A red flag is anything that could alert your practice to suspicious activity that may indicate identity theft. FTC guidelines identify four warning-sign categories: 1. Alerts, notifications, or warnings from a consumer reporting agency 2. Suspicious documents 3. Suspicious personal identity information 4. Suspicious activity relating to a covered account or notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts How are red flags detected? Red flags may be detected when you verify a patient's identity, review medical records, verify insurance forms, or receive alerts or information of suspicious activity from outside agencies. How do I prevent and mitigate identity theft? You must develop a written program that includes appropriate responses to red flags. Among the required actions are increased monitoring of accounts, contacting the payer, contacting law enforcement agencies, changing account numbers to prevent misuse, or a combination of the above measures. Preventive action also may be required if there has been a breach or attempted breach of your database. Your program must include appropriate staff training and a means of ensuring compliance. If you engage another person or group to perform services on your accounts (e.g., a service provider), you must also take steps to ensure that their activities are conducted using a reasonable identity-theft program. This could be done through a written contract with the provider or by amending an existing HIPAA Business Associate Agreement. The FTC requires that you update your program "periodically." However, your program should specify that it will be updated when the methods of identity-theft threats change or new risks and trends develop. Are there additional state laws that must be considered? Yes. Many states have their own rules, which must also be implemented as part of your identity-theft prevention program. What are the penalties for non-compliance? A violation of the Red Flags Rule can subject your practice to significant civil monetary penalties.
The author is a health law attorney with Kern Augustine Conroy & Schoppmann in Bridgewater, New Jersey; Lake Success, New
York; and Philadelphia. He can be reached at kern@drlaw.com
|  Stay Connected to Medical Economics • Current Issue • Issue Archive • Subscribe to Enewsletter • Subscribe to Print Edition • Subscribe to Digital Edition • Medical Economics Radio • Follow Us on Twitter
 Practice Tools Coding Counselor Simple and accurate ICD-9 code search. Start Here  Patient Education Print customized patient education handouts. Start Here  Surgical Video Center On-demand surgery demos and presentations. Start Here     Featured Jobs |
Key Points
