The "Red Flags" Rule

WHO MUST COMPLY according to the Federal Trade Commission?

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and "covered account."

Creditor Defined: Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

Covered Account Defined: The second key term “covered account,” is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity

Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

As a practical matter, most businesses and organizations that provide products and services to their customers and then bill them later are covered by the Rule.

Note: If you’re covered by the Rule, your program must:

  1. Identify the kinds of red flags that are relevant to your practice;
  2. Explain your process for detecting them;
  3. Describe how you’ll respond to red flags to prevent and mitigate identity theft;
  4. Spell out how you’ll keep your program current.

The FTC provides a do it yourself form for a Red Flag program at the following link: http://http//www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf

If more help is needed to determine if your business needs to abide by the Red Flag Rule visit this link containing a 17 page booklet used to explain more thoroughly: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

*OAA offers special thanks to Robert W. Stratton of Chester County Opticians for the Red Flag Alert.