Red Flag Rules Finally Implemented, Enforcement to Begin Nov. 1, 2009

On November 1st, 2009, the Federal Trade Commission’s (FTC) “Red Flags Rule,” aimed at combating identity theft, will begin to be enforced.  These rules will require businesses, including many health care providers, to develop and enforce a written policy on identifying the warning signs (or “red flags”) of identity theft, including medical identity theft.  To be regulated under these rules, health care providers must be “creditors” that deal with “covered accounts”.1Creditors” under the rule means “any person who regularly extends, renews, or continues credit; [or] any person who regularly arranges for the extension, renewal, or continuation of credit…” and a “covered account” is defined as one “primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.”2 The FTC has determined that physicians are included as creditors, and that hospitals must be looked at on a case by case basis.  Health care organizations that require pre-payment or payment at the time of service, or those that receive full payments from a program where patients have no responsibility for fees or the remaining cost of care such as Medicaid would not be covered by these rules because of their reduced exposure to identity theft risk.3

Almost all health care practitioners will be affected by this legislation.  The final red flag rules were published in November of 2007 under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), and although the rules technically came into effect on January 1st, 2008, covered entities, through a series of extensions due to industry confusion over who was covered, have been given until November 1st, 2009 to comply.

The American Medical Association (AMA) has petitioned to the FTC to suspend the application of the new Red Flag Rules to physicians and publish a new rule, dealing only with the subjugation of physicians to the Red Flags Rule, thereby affording physician stakeholders the opportunity to review and comment on the implications of such regulatory compliance. The AMA has stated that, in its current state, the Red Flag Rules are not compliant with the Administrative Procedures Act, which required that entities be made aware of regulations that affect them and to allow such entities the opportunity to comment.4  The AMA has also expressed concern that physicians forced to comply with the rules would face an “unfunded, costly, burdensome mandate” that duplicates existing requirements under the Health Insurance Portability and Accountability Act (HIPAA).

According to the Red Flags Rule, the required written policies should lay out how a physician practice will (1) identify, (2) detect and (3) respond to “red flags”.5 A “red flag” is defined as “a pattern, practice, or specific activity that indicates the possible risk of identity theft.6 The procedures enacted to ensure compliance with red flag rules should be laid out specifically.  Policies should be approved by any governing board and all employees training in the policies procedures before November 1, 2009 and should be reviewed annually.7 Twenty-six examples of red flags are provided in the new regulations. They include suspicious personal identifying information such as 1) application information which is the same as that provided on a fraudulent application; 2) a given address is fictitious, a mail drop, or a prison, or a phone number which is invalid or associated with a pager or answering service; 3) a Social Security number which is the same as that submitted by other patients; and 4) situations in which personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. Suspicious activity also is a red flag, for example, when medical services needed are not consistent with past medical history (i.e. a patient who has had an appendectomy comes into the emergency room for appendicitis).8

For health care providers covered by the red flag rules some or all of their red flag responsibilities already may be satisfied by HIPAA privacy and security rule policies and procedures. The written policies required by the Red Flag Rules are flexible as to what a satisfactory written “plan” is, and the rules allow creditors to incorporate existing processes into the identify theft program, meaning existing HIPAA policies can satisfy applicable requirements. This may ease the process of becoming compliant with new Red Flag Rules for health care providers.9 While HIPAA privacy rules cover patient medical records, the red flag rules extend into sensitive information such as credit card numbers, tax identification numbers, social security numbers, business identification numbers and employer identification numbers, insurance claim information, and background checks for employees and service providers. Health care providers whose policies are not red flag compliant may face a penalty of up to $2,500 per knowing violation. 10

1
“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

2
“Equal Credit Opportunity Act” 15 USCS 1691(a); “Identity Theft Rules” 16 CFR 681.2(5).

3
“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

4
“Federal Trade Commission final rule on Identity Theft Red Flags; 16 CFR Part 681; Application of the Red Flags Rule to Physicians” Letter to Jon Leibowitz (Chairman of the U.S. Federal Trade Commission), March 9, 2009.

5
“Red Flag Regulations and Guidelines” 72 Fed. Reg. 63719.

6
“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

7
“AMA Identity Theft Prevention and Detection and Red Flag Rule Compliance: Sample Policy” American Medical Association, 2009.

8
“Hospitals Should Analyze Credit Policies to Determine Coverage by Red Flag Rule,” Bureau of National Affairs, Health Law Reporter, Sept. 25, 2008, 17 HLR 1259.

9
“Hospitals Should Analyze Credit Policies To Determine Coverage by Red Flag Rule” Health Law Reporter, Sept. 9, 2008.

10
“Protect your patients, protect your practice: What you need to know about the Red Flags Rule” American Medical Association, 2009.

© Health Capital Consultants
Todd A. Zigrang

Todd A. Zigrang, MBA, MHA, CVA, ASA, FACHE, ABV, is the President of Health Capital Consultants (HCC), where he focuses on the areas of valuation and financial analysis for hospitals, physician practices, and other healthcare enterprises. Mr. Zigrang has over 28 years of experience providing valuation, financial, transaction and strategic advisory services nationwide in over 2,000 transactions and joint ventures. Mr. Zigrang is also considered an expert in the field of healthcare compensation for physicians, executives and other professionals.

Mr. Zigrang is the co-author of "The Adviser’s Guide to Healthcare – 2nd Edition" [2015 – AICPA], numerous chapters in legal treatises and anthologies, and peer-reviewed and industry articles such as: The Accountant’s Business Manual (AICPA); Valuing Professional Practices and Licenses (Aspen Publishers); Valuation Strategies; Business Appraisal Practice; and, NACVA QuickRead. In addition to his contributions as an author, Mr. Zigrang has served as faculty before professional and trade associations such as the American Society of Appraisers (ASA); the National Association of Certified Valuators and Analysts (NACVA); Physician Hospitals of America (PHA); the Institute of Business Appraisers (IBA); the Healthcare Financial Management Association (HFMA); and, the CPA Leadership Institute.

Mr. Zigrang holds a Master of Science in Health Administration (MHA) and a Master of Business Administration (MBA) from the University of Missouri at Columbia. He is a Fellow of the American College of Healthcare Executives (FACHE) and holds the Certified Valuation Analyst (CVA) designation from NACVA. Mr. Zigrang also holds the Accredited Senior Appraiser (ASA) designation from the American Society of Appraisers, where he has served as President of the St. Louis Chapter. He is also a member of the America Association of Provider Compensation Professionals (AAPCP), AHLA, AICPA, NACVA, NSCHBC, and, the Society of OMS Administrators (SOMSA).

Jessica L. Bailey-Wheaton

Jessica L. Bailey-Wheaton, Esq., is Senior Vice President and General Counsel of HCC. Her work focuses on the areas of Certificate of Need (CON) preparation and consulting, as well as project management and consulting services related to the impact of both federal and state regulations on healthcare transactions. In that role, Ms. Bailey-Wheaton provides research services necessary to support certified opinions of value related to the Fair Market Value and Commercial Reasonableness of transactions related to healthcare enterprises, assets, and services.

She serves on the editorial board of NACVA’s The Value Examiner and is the current Co-Chair of the American Bar Association (ABA) Health Law Section’s Membership Committee and the Young Lawyer Division (YLD) Liaison to the ABA Health Law Section Governing Council. She has previously presented before the ABA, American Health Law Association (AHLA). NACVA, the National Society of Certified Healthcare Business Consultants (NSCHBC), and the American College of Surgeons.

Ms. Bailey-Wheaton is a member of the Missouri and Illinois Bars and holds a J.D., with a concentration in Health Law, from Saint Louis University School of Law.

Janvi R. Shah

Janvi R. Shah, MBA, MSF, serves as Senior Financial Analyst of HCC. Mrs. Shah holds a M.S. in Finance from Washington University Saint Louis. She develops fair market value and commercial reasonableness opinions related to healthcare enterprises, assets, and services. In addition she prepares, reviews and analyzes forecasted and pro forma financial statements to determine the most probable future net economic benefit related to healthcare enterprises, assets, and services and applies utilization demand and reimbursement trends to project professional medical revenue streams and ancillary services and technical component (ASTC) revenue streams.

Click Here for More Information on
HCC's Leadership and Capabilities
© Health Capital Consultants
Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner