ADVISORY e-ALERT     May 28, 2009
Advisory Law Group, a Professional Corporation
In order to give "creditors," which by definition includes most, if not all, medical practices, more time to comply with its "Red Flags Rule," the Federal Trade Commission has announced that it will delay enforcement of the Rule until August 1st.
What is the Red Flags Rule?
The Red Flags Rule is federal regulation aimed at detecting identity theft through the identification by financial institutions and creditors of "red flags," indicators of possible identity theft appropriate to the specific business relationship, in order that action can be taken to expose actual instances of that crime, mitigate its damage, and prevent future occurrences. 
Despite protest by the American Medical Association and other groups that the federal statue pursuant to which the Red Flags Rule was issued was never meant to cover the doctor-patient relationship, and that, therefore, the Rule is overbroad, the FTC has not agreed with that position. 
In announcing the extension of the enforcement date, the FTC acknowledged the debate concerning the scope of the Rules and stated that it will release a template to help entities that have a low risk of identity theft, including those that know their customers personally, comply with the law.
Why Should You be Concerned?
Physicians need to be concerned with the Rule and compliance with it for several reasons.
First, the penalty for noncompliance with the Rule could be as high as $2,500 for each "knowing violation."  As it is likely that your noncompliance would be global and not just limited to a single instance, it is conceivable that if you are liable for one penalty you would simultaneously be liable for many penalties.
Second, there are other good reasons to comply with the Rule besides the avoidance of penalties:
●  The Rule operates as a logical component to patient privacy laws including HIPAA, with which your practice already complies.  HIPAA and other privacy laws are designed to keep a patient's healthcare information restricted to those who should be using it - the Red Flags Rule operates to prevent a patient's healthcare information from being "polluted" with inapplicable data, the data of a third party who has assumed the patient's identity.  In this light, the Red Flags Rule is another component of assuring data security and trustworthiness.

 ●  Unpolluted data not only benefits the "real" patient, in certain circumstances it can benefit your ability to interpret and diagnose.  For example, it increases the chances that an image taken previously is really of the same individual.

 ●  Additionally, it increases the odds that you will not be conned into providing care that will not be reimbursed.  For example, Ms. Jones' carrier will not pay for services delivered to Ms. Smith masquerading as Ms. Jones.
How Can You Determine if Your Practice is Required to Comply With the Rule?
The Rule sets out a test to determine if you fall within its scope.
First, you must be a "creditor" which, for medical practices means that you regularly defer payment by your patients -- that is, they do not pay 100% of the fee at the time of service.  Of course, if you accept later payment from your patients' carriers or bill for co-pays or deductibles, or allow payment plans, then you've met this requirement.
If you are a creditor, the Rule applies only if you have "accounts," which requires a continuing relationship with your patients.  Although it might be conceivable that your practice has one-time patient encounters only, most if not all practices will have multiple transactions with some patients and will therefore fall subject to the Rule.  Because of the penalties that can be imposed for noncompliance, it's prudent to err on the side of caution when considering whether your practice meets this requirement.
The next step is to determine if your accounts are "covered accounts."  There are two tracks to covered account status.  One is that the service underlying a multiple payment account relates to personal, as opposed to business, purposes; most healthcare services would be included within this track.  The other track is that there is a reasonably foreseeable risk of harm (financial, operational, compliance, reputation, or litigation risk) to your "customers" or to your practice from identity theft -- this, too, is would generally be the case.
We're Covered, So Now What?
If your practice is covered by the Rule, you are required to implement a written "Identity Theft Prevention Program" by August 1, 2009.  The Program must be approved by your entity's board of directors or like governing body or by the group's senior management.
The first step in developing the Program is to identity "red flags" of identity theft relevant to your practice.  For example, red flags might include identification that is obviously forged or phony, a social security number outside of the date range of the patient's stated age, an address which turns out to be nonexistent or otherwise not valid, or receipt of a complaint from the person receiving your statement that he or she has never been a patient of your practice.
You have to design and implement procedures for identifying those red flags, both in respect of new patient accounts and existing ones.  This includes staff training on the implementation of policies designed to discover incidents of red flags.
You need a plan for how to react if a red flag is detected.  Your plan might include steps such as informing the police and other authorities, notifying the victim of the identity theft, and assessing the injury to your practice and its medical records.
Your Identity Theft Prevention Program must be overseen by your entity's board, senior management or by someone to whom that task is delegated.  And, you need to make periodic assessments of how your plan is operating and of any changes to it that should be made.
Hospital-based groups, as well as other practices, that bill though outside billing services, need to coordinate their program design and implementation with their billing service.  Note, however, that as it is your obligation, and not the billing service's, to comply with the Red Flags Rule, and as the FTC will levy penalties against you directly, you cannot simply "outsource" all responsiblity and oversight to your billing service. 

What's the Practical Bottom Line?
From a practical perspective, it makes little or no sense to rely on the argument that the Red Flags Rule or the statute underlying it is overbroad and not meant to apply to healthcare providers. 
Even if the FTC were to change its position on the applicability of the Rule, it is beneficial to physicians to adopt its practices to reduce the risk that you might be creating medical data that "pollutes" your medical records, and that increases the chances that you will be paid for your services.
Lastly, compliance is relatively easy, especially when considered as a complement to existing HIPAA policies and procedures.  
Contact Mark F. Weiss for more information.
View Episode 5 of the
Wisdom. Applied. Videocast


This article touches on a subject that I first raised in my April 10, 2009, blog post at Wisdom. Applied., Is There a Paraprofessional in YOUR Future?

As I wrote in that post:

"In a move to increase their efficiency (and profitability) physicians welcomed paraprofessional "extenders" (e.g., PAs, CNRAs, radiologist assistants).  But subsequent trends, including carriers and government programs seeking lower "costs" and the fact that paraprofessions, once established, generally seek to expand their scope, are combining to create competition against their former "masters."

Society is at an important convergence of crossovers, none of which, if they continue unchallenged, bodes well in terms of stopping the expansion of scope of practice permitted to healthcare paraprofessionals.

"Cheap" vs. "Expensive"

Physicians are seen as costly in comparison with paraprofessionals.  This viewpoint discounts the argument that paraprofessionals are, in many cases, eligible for overtime, negating any perceived cost savings.

Socialized Healthcare vs. Private Practice Medicine

We're crossing the line at which the number of taxpayers is exceeded by the number of entitlement recipients, increasing the likelihood of socialized healthcare.  As socialized care has led to rationing and cost-cutting wherever it has been attempted, a shift in that direction will likely lead to increased paraprofessional use both in order to achieve perceived savings and to supplement the increasing shortage of physicians.

Technology vs. Expertise

Advances in technology fueled by the microchip revolution have resulted in the perception that technology itself, as opposed to expertise, is driving the advancement in medical care.  The question to many has become, "Why can't a paraprofessional with technological training perform the same function as a physician?"
I'm reminded of the old bumper sticker, "Think Global.  Act Local."  Although I'm not a fan of bumper sticker logic, that advice is directly on point in terms of what physicians must do to retain their professional turf.
The first move is to strategize your own future . . . before someone else owns it. 

Click here for Mark's most recent published articles.  


New to the list and want to read past issues?
Did you delete (by mistake, of course!) a past issue of Advisory e-Alert and want another copy?
No matter the reason why, back issues of Advisory e-Alert are available from the archive.  Click here.
ADVISORY LAW GROUP, a Professional Corporation
Tel:  877-883-2803
Fax: 877-883-0099
10940 Wilshire Blvd, 16th FL
Los Angeles, CA  90024
1227 De La Vina St
Santa Barbara, CA  93101

Visit Us On The Web
The materials presented in this Advisory e-Alert are educational only and are neither legal advice nor a substitute for it. Advisory e-Alert presents a general discussion which may or may not apply to your particular legal or factual circumstances. The distribution of Advisory e-Alert is not intended to create, nor does it create, an attorney-client relationship. Please do not send us confidential information without receiving explicit authorization from Advisory Law Group to do so. Do not take or avoid taking any action as a result of the materials presented in this e-Alert without first obtaining legal counsel.   
Let Us Know What Business/Legal Issues You'd Like to See Addressed in A Future Issue
Warning Sign
In This Issue
Red Flags Rule Enforcement Delayed
Videocast: Does Your Medical Group Really Exist?
Is There a Paraprofessional in YOUR Future?
Recently Published Articles
The Immediate Leader Experience
Mentor Program

You're a physician who wants to form a medical group and, among other things, subcontract with or employ other physicians, enter into exclusive contacts, obtain significant stipend support money, create related entities to increase protection and the like. And you want to come up to speed on all of this immediately.

Or, you're the new leader of an existing group with complex practice and business operations -- you need to understand how to master the group's organizational, operational and leadership issues -- and you need to be brought up to speed immediately.
After having regularly dealt for many years with physicians in both of these contexts, we've designed a process to deliver immediate results: The Immediate Leader Experience™.
The Immediate Leader Experience™ takes place over a weekend in Santa Barbara, California and includes two nights accommodation at the Four Seasons Santa Barbara Biltmore Hotel. 
In two short days, you'll be entirely up to speed, totally prepared and confident.  You'll be armed with tools and sample documents.
Due to the nature of this program, admission is upon interview only -- there is extremely limited availability.
For further information on The Immediate Leader Experience™ follow this link.  
For information on Mark's mentor program, click on the following link:  The Advisor Program.
Follow this link to Mark's blog, Wisdom. Applied.
Join Our Mailing List