Funding Focus

Watching for Red Flags

• By Kelly Riley
• Jun 01, 2010

It seems as though every month there is something new for which DMEPOS organizations must prepare. This month is no different, as companies must be in compliance with the Federal Trade Commission Red Flags Rule by the June 1, 2010, implementation date.

In November 2007, the FTC issued a set of regulations known as the Red Flags Rule. The regulations require that certain entities (deemed as creditors) develop and implement written identity theft prevention and detection programs to protect consumers. For the past three years, organizations have been successful in pushing back the effective date, but June 2010 was the fourth and presumably final delay.

While there were some objections from various health care groups, FTC staff members have made it clear that they intend to apply the rule to nearly all medical organizations. Providers who knowingly violate the rule could face monetary penalties of up to $2,500 per incident. In the FTC’s opinion, any business that accepts payment (deferred included) for services is considered a creditor, which is defined as “any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”

You only have to open your e-mail or take a call from your credit card company’s fraud department (I’ve had three calls in the past six months) to realize that identity theft is on the rise and a very real threat to all consumers. Those who are frail, elderly or sick make even more appealing targets for unscrupulous behavior. Of particular concern to home respiratory providers is the patient who becomes a victim of medical identity theft. Medical identity theft occurs when someone uses a person’s name or other identity elements, such as insurance information, to make false claims for medical products or care. Unfortunately, the HME industry has seen this type of scenario all too often.

Organizations need to understand there are fundamental differences between the Red Flags Rule and HIPAA privacy and security rules. HIPAA was developed with the intent of protecting personal health information. The Red Flags Rule covers protection of personal health information as well as other sensitive data. This can include Social Security numbers; tax, business and employer identification numbers; credit card information; and insurance claim information.

The first step in implementing the Red Flags Rule is ensuring that your team knows that a red fl ag is a pattern or specific account activity that indicates the possibility of identity theft. In our industry, it could be any of the following:

• A patient or family member communicates that they received a bill from your company for products they never received.
• A patient or family member states that they received an invoice for another individual who does not reside at that address.
• A patient or family member shares that the insurance explanation of benefits they received is for medical equipment they never received.
• The patient recites a health insurance number, but cannot produce a valid card or other documentation to prove coverage.

Your organization must also appoint a privacy officer who will not only ensure documented training of staff but provide ongoing oversight of the program. This officer should take the lead in conducting a risk analysis to identify where potential vulnerabilities lie. This analysis should enhance or complement the risk analysis that is required for compliance with HIPAA.

Once the analysis is complete, your organization is then ready to develop a written Identity Theft Prevention Program. (There are several sample programs available through industry consultants.) The program will need documented approval by company owners or executives. All staff should be trained on the content of the program and sign confidentiality agreements. These agreements should have some expanded verbiage from the previous forms required by HIPAA.

Finally, as most programs require, your company must “continue to monitor for effectiveness.” To demonstrate this, make a note at least every quarter that you have reviewed customer complaints, formal notices or employee communications as they apply to identity theft and document any actions taken.

Protect your company and your customers by knowing the Red Flags Rule. More information is available from the FTC at www.ftc.gov/redflagsrule.

This article originally appeared in the Respiratory & Sleep Management June 2010 issue of HME Business.