FTC Red Flag Rules – Regulation From A New Direction

healthcare law infoIt never ceases to amaze me the number of varying directions from which hospitals and health care providers get regulated!

The most recent federal agency to jump on the health care regulation bandwagon appears to be the Federal Trade Commission (FTC). On November 9, 2007, the FTC, in conjunction with federal bank regulators, issued a set of regulations intended to combat identity theft. These regulations are commonly referred to as the “Red Flag Rules.” The Red Flag Rules require financial institutions and other “creditors” to implement a program designed to detect, prevent and mitigate identity theft in connection with the creation and maintenance of “covered accounts.”

Many hospitals and health care providers began to pay attention to these regulations a few months ago when word started to “eek out” that the Red Flag Rules might apply to hospitals and other health care providers. While the application of these rules to any specific transaction will depend upon the specifics of the transaction at issue, what does seem pretty clear at this point is that if you are affiliated with a health care provider that periodically allows patients to pay for their medical services through a series of payments, over time, that health care provider is likely a “creditor” and needs to comply with the Red Flag Rules. Health care providers should, with very limited exception, expect to comply with the Red Flag Rules as of November 1, 2008.

Compliance with the Red Flag Rules is, in many ways, tied to your HIPAA compliance program and the policies and procedures health care providers already have in place. Similar to the HIPAA Security and Privacy Regulations, the Red Flag Rules deal with access to information in patient medical records and billing account records and the extent to which those records may be accessed and used to commit identity fraud.

To begin your compliance efforts, look to identify points of access or entry into patient records or accounts that might lend itself to identify theft. Form a committee or task force made up of representatives from: HIM, HIPAA privacy and security, patient accounts, patient registration, pharmacy and the emergency department. Ask this group to brainstorm the points of access to relevant patient information and to analyze specific examples and experiences with patient identity theft to begin to develop a sense of where your identify theft risk lies.

Next, look at your existing privacy and security policies developed as part of your HIPAA compliance efforts and then evaluate what changes or additions need to be made to those policies in order to minimize your identity theft risk. In addition, you may need to revise policies or add new policies that will alert you to identity theft when it occurs and guide your response to patient identity theft.

Other things you will need to do over time as you build your Red Flag Rules compliance program will include demonstrating Board approval and oversight of your program and amending your existing business associate agreements so that your business associates are contractually obligated to be your partners in this effort.

In addition to resources being developed by the American Health Lawyers Association, the AHA and other organizations, your compliance counsel should be available to assist with the development of a Red Flag Rules compliance program.