March 30, 2009

The May 1, 2009 enforcement date for what are commonly referred to as the “Red Flag Rules” is fast approaching. Many readers will remember that ABC addressed this topic in an e-blast last October, and also in February in our list of important issues for 2009. We are providing this additional information to assist you in your understanding of the regulations as they would apply to an anesthesia practice.

Overview

The Red Flag Rules require financial institutions and “creditors” to develop and implement identity theft prevention programs that provide for identification, detection, and response to patterns, practices or specific activities (known as red flags) that could indicate identity theft. Although enforcement was initially slated for November of 2008, the Federal Trade Commission—pushed hard by the AMA and other medical associations—suspended enforcement until May 1, 2009 to give creditors, which may include many health care providers, additional time to develop and implement their identity theft programs. Many health care providers were surprised to learn that they could be subject to the Red Flag Rules. The FTC regulation defines a creditor as an entity that regularly extends, renews, continues credit or arranges for the extension of credit. The FTC would include a health care provider in this definition if the provider does not regularly demand payment in full for services at the time of service, which, according to the FTC, would be considered extending credit. If the provider is a creditor, the next step is to determine whether the provider maintains covered accounts of its patients. This would include consumer accounts designed to accept multiple payments and other accounts that would have a reasonably foreseeable risk of identity theft. In summary, it appears that the FTC’s position is that health care providers are subject to the Red Flag Rules if they extend credit to a consumer/patient by establishing an account that permits multiple payments (e.g., if a patient only pays the deductible or a co-payment at the point of service, the provider becomes a creditor). You can learn more about the Rules by visiting the Federal Trade Commission website at www.ftc.gov.

How Do the Rules Apply to an Anesthesia Practice?

According to the regulations, a practice that extends payment plans to patients must establish an Identity Theft Prevention Program (“the Program”) which must be appropriate to the size and complexity of the organization and nature and scope of its activities. The Program must include “reasonable” policies and procedures to:

1. Identify relevant Red Flags;
2. Detect Red Flags; and
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

From an administrative standpoint, a practice must obtain approval of the initial policies and procedures from its board of directors or other appropriate committee of the board. Moreover, it must involve the board (or committee of the board) or another member of senior management in the oversight of the Program and train appropriate staff. In developing policies and procedures, each covered practice is required to consider applicable guidelines set forth in Appendix A of the FTC portion of the regulations (see above link). Some of the key factors in the guidelines applicable to anesthesia practices would include considering categories of Red Flags such as:

1. Presentation of suspicious documents (e.g., documents provided for identification in connection with obtaining anesthesia services that appear to have been altered or forged or on which the picture identification is not consistent with the appearance of the patient who is presenting for surgical and anesthesia services);
2. Suspicious identifying information (e.g., using a social security number that has not been issued or is listed on the Social Security Administration’s Death Master File, inconsistent information like the lack of correlation between a social security number range and a date of birth);
3. Presentation of incomplete information; and
4. Notice from a victim of identity theft or others that a person has engaged in identify theft or opened a fraudulent account.

Given the hospital-based nature of most anesthesia practices, the Red Flag Rules will come into play at the time a patient presents identifying information in connection with obtaining anesthesia services for which payment may be made over time. As anesthesia practices typically rely on the hospital or other facility personnel to gather relevant payment and identifying information, we believe that anesthesia practices will need to coordinate with their hospitals/facilities to ensure that appropriate procedures and protocols will be employed and followed with an eye towards identifying, detecting and responding to problematic identity theft behaviors. We suggest that you meet with appropriate hospital or facility administration to ensure that appropriate procedures are in place with regard to the patient admission process. Many hospitals may have already developed, or are in the process of developing, appropriate written policies and procedures governing the admission process that could be adopted by the anesthesia practice to meet its obligations under the Red Flag Rules. Some hospitals are seeking guidance from the American Hospital Association’s website which contains a sample policy for hospitals to consider.

For those practices that have a chronic pain component with its own patient admission process, it will be important to establish protocols for the patient admission process. For example, these protocols would include stopping the patient admission process when a patient presents with identification documents that appear to have been altered or forged or that contain inconsistent information (e.g., picture I.D. does not match the appearance of the patient or information on the insurance card). In such cases, the patient admission and billing process should be halted until additional documentation is provided by the patient to continue the admission process. These protocols need to be spelled out in writing.

We encourage every practice to review the actual regulations linked above (Note: the relevant pages for health care providers would include pages 63772-63774). All anesthesia practices should verify that their billing teams are prepared to comply with the new Red Flag Rules.