April 3, 2009 — Based on legislation passed by Congress in 2003, in 2007, the Federal Trade Commission (FTC) first issued regulations stating that financial institutions and creditors are required to develop and execute written “identity theft prevention programs” that must provide for the identification, detection, and response to patterns, practices, or specific activities. These are known as “red flags” and could indicate identity theft. Enforcement of the regulation begins May 1, 2009.

Until recently, there was much ambiguity regarding the regulations and questions were raised as to whether physician offices fell under the FTC red flags guidelines. In February, the FTC issued a statement clarifying that Identity Theft Red Flag Rules do indeed apply to physicians including doctors of chiropractic. The FTC does not believe that the regulations will inflict any substantial burdens on most healthcare providers despite the fact that several specialty groups have objected to the inclusion.

The American Chiropractic Association (ACA) is supporting congressional intervention in this issue and is behind a letter to be sent to the FTC by the Chairwoman of the House of Representatives Committee on Small Business, Rep. Nydia Velázquez (D-NY) urging FTC to hold the enforcement of the Red Flags Rules in abeyance, until further effects of the rules are examined.

However, please treat the regulations as “live” until further notified by the ACA.

The goal of the Rules is “to reduce the overall incidence and impact of identity theft, including medical identity theft” along with credit information. Medical identity theft occurs when someone uses another person’s name and sometimes other parts of their identity, such as insurance information, without the person’s knowledge or consent.

Two conditions must be met in order for medical practices to be covered; they need to be a “creditor” organization, and they are required to have “covered accounts.” “Credit” is defined as an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. If a medical practice first submits a claim for services to an insurance company and then bills any remaining amount to the patient after the claim is adjudicated, it is considered a “creditor”

organization in addition to a creditor arrangement since payment for goods and services is deferred until the claim is processed. Red Flag Rules consider patient billing records “covered accounts” if they permit multiple payments or if they have a reasonable risk of identity theft. Red Flag Rules are risk-based and designed to be flexible based on the level of risk faced by each healthcare provider.

Full story