December 27, 2010
We approach the end of the year with good news from one of the federal regulatory agencies, the FTC. We would like to think that this will set the tone for 2011. No matter what changes appear in the health policy landscape going forward, we will continue to strive to help our clients and all our readers take the opportunities and surmount the challenges. Thank you for your support in the past year. May the New Year bring you much happiness and continuing success.
For more than two years, physicians, including anesthesiologists and pain management specialists, have been monitoring the status as to whether or not the Federal Trade Commission’s (FTC) Identity Theft Regulations, commonly referred to as the “Red Flags Rule,” would actually be enforced against health care providers. In the FTC’s final regulations published in November of 2007, the Red Flags Rule required “creditors” “to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.” Because of the strong opposition to the Rule’s application, especially from the American Medical Association (AMA) (who, ultimately, filed a law suit against the FTC), the enforcement date was delayed on numerous occasions with enforcement slated to take effect December 31, 2010. Despite the debates as to the applicability of the term “creditor” to physicians and other health care entities and despite delayed enforcement, the FTC did not waiver from its position that physicians who allowed patients to pay over time (e.g., did not collect all monies owed upfront because they billed the insurance carriers) were creditors for the purposes of the Red Flags Rule. Although most physicians certainly understand the importance of safeguarding sensitive information such as social security numbers, unfortunately, they would have been subject to many burdensome requirements that many thought were not particularly applicable to medical practices and others that did not fit the traditional creditor role.
The good news: on December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act of 2010 (Clarification Act) which now limits the definition of “creditor” for purposes of applicability of the Red Flags Rule. Most physicians no longer fall within the definition of creditor and therefore are not required to implement an Identity Theft Prevention Program. In other words, anesthesiologists and pain management physicians no longer need to worry about complying with the Red Flags Rule mandate of implementing comprehensive policies and procedures regarding identity theft. The term "creditor" is now limited to only include those that use consumer reports, furnish information to consumer reporting agencies or advance funds to a person. Importantly, the definition does not include those who advance funds for expenses incidental to a service.
While physicians should consider the Clarification Act a great victory in terms of easing regulatory burden in an already overly regulated industry, it is important for physicians to continue to safeguard patient social security numbers through existing HIPAA policies and procedures. To the extent that this information is improperly disclosed or shared, a practice can have liability under State law and, in some cases, HIPAA. Physicians should also check their state laws with regard to safeguarding of social security numbers and any mandatory obligations such laws may impose on their practices. There are many states that have social security number protection laws, which, essentially, require entities to safeguard social security numbers including only allowing access to those that require it to perform job duties, not using social security numbers as identifiers and having proper disposal practices (e.g., shredding).
We are looking forward to providing you with more information on practice management affairs in the coming year. With best wishes for a Happy New Year,
Sincerely,
Tony Mira
President and CEO