TEN STEPS TO DRAFTING AND IMPLEMENTING AN EFFECTIVE RED FLAGS PROGRAM

The deadline for having a written identity theft program to comply with the FTC Red Flags Rule is rapidly approaching. By June 1, 2010, “creditors” must develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The FTC has gone on record that health care entities, such as physician practices, are “creditors” subject to the Red Flags Rule if they defer payment. Not demanding payment in full at the time of service, including through the billing of insurance, makes practices “creditors.” Drafting and implementing a program to comply with the Red Flags Rule does not have to be an expensive or protracted exercise. The Rule gives practices a great deal of flexibility to design and implement programs that are appropriate to their size and complexity and the nature of their operations. This paper outlines a ten step plan that practices can follow in drafting and implementing a program to comply with the Red Flags Rule. Since a practice’s board of directors, or a committee of the board, must approve the initial written program, entities should not delay in documenting their program in order to meet the June 1 deadline.

TEN STEPS FOR EFFECTIVE COMPLIANCE

1. Identify Covered Activities. The first step in drafting and implementing a compliance program to comply with the Red Flags Rule is to identify the practice’s activities that are subject to the Red Flags Rule. This will most likely consist of establishing patient accounts for the payment of services rendered by the entity.

2. Program Adoption. The program should be approved and adopted by your practice’s Board of Directors or other leadership group. The written program should briefly explain how the program was adopted.

3. Program Purpose. The program should explain the purpose, namely, to identity, detect, prevent, and mitigate identity theft in connection with patient accounts.

4. Definitions: The program should define key terms such as “identity theft,” “covered accounts,” “red flag,” and “identifying information.”

5. List Relevant Red Flags. List the red flags that are relevant for the accounts that you offer or hold. Not all of the 26 red flags listed by the FTC in Appendix J to the final rules will be relevant for health care practices, as many would apply only to depository institutions. In identifying and listing the relevant red flags, practices should consider the methods they use in opening covered accounts and past experiences where patients raised identity theft concerns or issues. Some of the red flags that are likely to be applicable to health care practices are: name or address discrepancies; presentation of suspicious documents or personal information inconsistent with information already on file at the practice; and notice from law enforcement that identity theft has occurred in relation to a specific patient.

6. Detecting Red Flags. Explain how your program will detect red flags when you open a covered account or in connection with an existing covered accounts. For example explain the steps you take to verify the identity of a patient, such as reviewing a driver’s license or other identification. For existing accounts, explain what you do to verify the identity of patients if they request information by phone or in person. If you have existing policies and practices such as policies to ensure compliance with HIPAA, cross reference them in your Red Flags program.

7. Responding to Red Flags. Explain in plain English what personnel should do if they detect a red flag. Examples can include monitoring an account for evidence of identity theft; contacting the patient; changing passwords, security codes, or other security; not attempting to collect on a covered account; ensuring that medical information about the identity theft is maintained separately from information about the patient; or determining that no response is warranted under the particular circumstances.

8. Service Providers. If you use third party service providers in connection with your patient accounts, explain how you will monitor the service providers to make sure that they perform their activities with reasonable policies and procedures to detect, prevent, and mitigate the risk of identity theft. For example, you may require in your contracts that the service providers have a compliant Red Flags program. In addition, you might require that service providers review your program and report any red flags to the administrator of your program.

9. Program Administrator. A member of your practice’s senior management should be appointed as the program administrator to develop, implement and administer the program. The written program should identify the program administrator.

10. Maintaining and Updating the Program. The program administrator or his or her designees should review the program after any identity theft incident that the program does not prevent, and at least once every 12 months. The program administrator should report to your board or leadership group once a year on the state of the practice’s compliance with the program and any changes to the program that the administrator believes are necessary.

By following these ten steps, practices can craft and implement an effective program to detect, prevent and mitigate identity theft that is complies with the FTC Red Flags Rule.

Contact:

Robert M. Portman (rob.portman@ppsv.com)

Robert S. Lavet (rob.lavet@ppsv.com),

Stephanie Cason (stephanie.cason@ppsv.com)

Powers Pyles Sutter & Verville PC

1501 M Street, NW

Seventh Floor

Washington, DC 20005

Telephone: 202.466.6550