|
NACHC has received inquiries as to whether the so-called “Red Flag” rules issued by the Federal Trade Commission (FTC) apply to health centers. The Red Flag rules require covered entities to implement anti-identity theft measures. The rules apply to any institution, including a health care provider, that is a “creditor” and maintains “covered accounts” as those terms are defined in the rules. Covered entities must implement an identity theft prevention program by November 1, 2008.
This Alert is intended to outline key features of the Red Flag rules. Whether an individual health center is covered by the Red Flag rules depends entirely on its specific billing and collection practices. Accordingly, health centers should review the Red Flag rules to determine if they are covered and, if so, the actions required to comply with them. The rules can be found at http://www.ftc.gov/os/fedreg/2007/november/0711090redflags.pdf.
Background
The Fair and Accurate Credit Transactions Act of 2003 required the FTC and banking regulators to issue regulations regarding the detection, prevention, and mitigation of identity theft, which the FTC defines as “a fraud committed or attempted using the identity of another person without authority.” The regulations are designed to protect consumers by requiring businesses that extend credit (as defined in the regulations) to customers to develop a written program, approved by its board of directors, that identifies warning signs and suspicious activity (that is, “red flags”) of possible identity theft. The program also must include measures to prevent identity theft and to mitigate damages from instances of identity theft, and include provisions for training of staff and periodic updating as needed.
It is important to note that the Red Flag rules are intended to protect both a business and its customers from the havoc and financial loss that can occur when an imposter uses another person’s identity to secure credit from the business. Health centers, like all other health care providers, already are required under the HIPAA Privacy and Security Rules to prevent unauthorized discourse of protected health information. Preventing unauthorized access to and/or disclosure of patient information is critical to protecting patients from identity theft. However, strict adherence to HIPAA privacy and security measures alone is not sufficient to comply with the Red Flag rules. Therefore, health centers that are subject to the Red Flag rules must also implement identity theft protection measures as required by the regulations.
Which Health Centers Must Comply with the Red Flag Rules?
Under the regulations, only health centers that regularly extend, renew, or continue credit to patients and that offer or maintain covered accounts must comply.
Credit is defined for purposes of the regulations as “the right granted...to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.”
The regulations define a covered account as:
An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.
Accordingly, the threshold question for a health center is whether it extends credit, that is, whether it provides patients with the right to defer payment for services. Requiring payment in full at the time of service (including full payment of insurance co-pays or discounted fees under a “sliding fee” scale) either in cash, with a credit card, or via a third party such as Medicaid, Medicare, or other third party payor does not constitute the extending of credit.
Conversely, a health center that allows patients to pay on a periodic basis – to defer full payments (with or without the imposition of any interest or carrying charges) – would be extending credit under the regulations and would be subject to the regulations if it regularly follows this practice. While “regularly” is not defined in the regulations, one could reasonably conclude that deferring payment only on an ad hoc and intermittent basis would not be sufficient for a health center to come under the Red Alert rules.
There are other grey areas in the rules. For example, billing a patient rather than collecting payment in full at the time of service could be interpreted as extending credit since the health center would be allowing the patient to defer payment. However, if payment in full is expected upon the patient’s receipt of the bill, this arrangement should not qualify as a covered account as it does not, on its face, permit multiple payments. On the other hand, an arrangement permitting the patient to pay the bill in multiple payments would be a covered account, and the health center would be covered by the Red Flag rules. Similarly, it is not clear whether deferred collection of an established obligation under circumstances in which the health center did not intend to extend credit at all, such as when an insurance claim is denied in whole or in part, is covered by the rules.
The FTC expects to publish more detailed guidance on the Red Flag rules, which may clarify the agency’s interpretation of these and other issues.
In sum, a health centers should review its payment and collection practices to determine if it extends credit (as defined in the regulations) and maintains covered accounts, as those terms are defined in the Red Flag rules. A health center has the option of changing its billing and collection practices so that it is not covered by the Red Flag rules. In NACHC’s view, doing so would not be inconsistent with BPHC policy. Alternatively, a health center may continue to extend credit and implement an identify theft compliance program as required by the Red Flag rules. Note, however, that the Red Flag rules apply to patient accounts existing on November 1, 2008 as well as to new accounts opened after that date. Therefore, a health center that has existing accounts covered by the Red Flag rules should review those accounts for indicia of identity theft in accordance with the Red Flag rules even if it does not intend to continue to extend credit.
What Are the Key Features of the Red Flag Rules?
The Red Flag rules have many features typical of a compliance program. Importantly, the rules permit a covered entity to structure an identify theft protection program appropriate to the entity’s activities and the complexity of its covered accounts. Moreover, an entity may incorporate provisions of its existing policies and procedures that are designed to protect patient identity, such as its HIPAA compliance program. Accordingly, it should not be difficult for health centers to implement a compliant identify theft protection program. However, the Red Flag rules require, at a minimum, the following administrative measures:
- A written program
- Approval by the board of directors
- Oversight by the board, board committee, or a senior manager
Implementation and administration of the program by senior management
- Staff training
- Periodic review and updating as necessary
The program itself must provide for:
- Periodic risk assessment to determine whether the health center maintains covered accounts
- Identification of Red Flags, i.e., indicators of possible identity theft that are relevant to the health enter’s operations
- Policies and procedures to detect Red Flags once they have been identified
- Response to Red Flags, as appropriate, to prevent or to mitigate identity theft
|
