FTC Red Flags Rule places new burden on oncology

August 24, 2009

Identify theft is one of the country’s fastest growing crimes. Half of the annual 8.3 million identity thefts occur in the workplace, and medical practices are no exception, according to the Federal Trade Commission. Medical records are rich in information, such as a patient’s Social Security number, date of birth, credit card numbers, and insurance information, which can be misused for financial gain and for medical fraud.

Identify theft is one of the country’s fastest growing crimes. Half of the annual 8.3 million identity thefts occur in the workplace, and medical practices are no exception, according to the Federal Trade Commission. Medical records are rich in information, such as a patient’s Social Security number, date of birth, credit card numbers, and insurance information, which can be misused for financial gain and for medical fraud.

As a result, Congress decided that all “creditors,” including healthcare providers, must develop an effective means of protecting against identify theft. The Red Flags Rule was introduced in 2007 and went into effect in 2008. The rule underwent multiple compliance-deadline extensions before the FTC mandated that it should be in place in all practices by November 1, 2009.

On July 29, 2009, the FTC not only gave practices a reprieve until November, but promised to update their website (see Table on page 8) with additional materials that clarify the general confusion that seems to prevail about the Red Flags Rule, especially in its application to low-risk, small businesses.

The rule’s ultimate goal is to identify and detect patterns and activities (red flags) that signal a privacy breach.

Needless to say, medical professionals are not gung-ho about the rule. “The Red Flags Rule will present yet another administrative burden to each medical practice,” said Cary Presant, MD, of Wilshire Oncology Medical Group in Los Angeles.

“Since nearly every practice will be covered by this rule, and many vendors will also be subject to it, each practice will have to modify its standard operating procedures manual to develop a theft prevention program and ensure that all its vendors have one in place. We will have to train office personnel and have a notification procedure for patients,” said Dr. Presant, who is also past president of the Association of Community Cancer Centers.

AMA sees red
The Red Flags Rule was not hoisted without a fight. The American Medical Association argued that health insurance payers are the creditors-not physicians. Additionally, doctors already devote substantial resources to complying with HIPAA requirements. Finally, the AMA painted a potential doomsday scenario in which physicians could demand payment up front or simply abandon practicing medicine altogether.

The FTC was unimpressed, drawing upon numerous court cases and regulatory decisions to support its position that healthcare providers are creditors. The FTC also maintained that the rule complements, not duplicates, HIPAA. The commission offered reassurance that providers would not be significantly burdened because the rule is designed to be “flexible and tailored,” according to Eileen Harrington, acting director of the FTC Bureau of Consumer Protection.

In a February 4, 2009 letter to the AMA, Ms. Harrington pointed out that most physicians’ offices already take some measures against identify theft, such as checking photo IDs and restricting access to patient files.

Of course, there is more to the rule than matching a patient’s face with a driver’s license. The rules require practices to implement a written identify theft prevention program that monitors daily operations. This written policy must be approved by a governing board or a senior-level employee. Also, a practice must designate an employee as the one individual at the practice who is responsbile for implementing and administering the prevention program. Finally, all employees must be trained on this policy and documentation of this training must be kept in their personnel files (see Table).

Adhering to the rule is more than a needless burden, according to Harry Perret, an identity theft risk management specialist and executive director of Prevention Benefits in Nashville, Tenn., and New Orleans. “Any liability leaves the doctor at risk,” he said, adding that the risks to patients are “both financial and potentially life-threatening.”

Complying quickly
Ricky Newton, CPA, manages Cancer Specialists of Tidewater in Chesapeake, Va., and is a frequent speaker on practice issues at community oncology conferences. He told Oncology News International that he had just become fully aware of the Red Flags Rule. “I am trying to figure out what we are supposed to do to become compliant as a private practice. I am still confused about the details,” he said.

Jayne Gurtler, MD, a New Orleans-based oncologist in private practice, said her group feels that they were not informed about the rule. “I’ve always strived to be in compliance with all regulations and especially those that affect the privacy of my patients, but I had no idea about this rule,” she said. Dr. Gurtler added that a physician has been assigned at her practice to learn more about the rule and its requirements.

Glenn Balasky of the Mark H. Zangmeister Center in Columbus, Ohio, said his group has been aware of the rule for some time. “We were on top of this before they delayed the deadline. But we are not excited about it,” said Mr. Balasky, executive director of the cancer center. “It’s the ‘son of HIPAA’ and provides one more regulatory thing to tie up staff time. We have a tough enough time making oncologists aware of what they need to do clinically and operationally.”

Mr. Balasky’s first step will be “implementing high-level awareness,” and then he will “work through the details” to establish what needs to be done by key personnel, he told Oncology News International.

“We have dedicated a team to be responsible for knowing the requirements and we have put something in writing that we are now editing,” he said.

Legal viewpoint
Mark F. Weiss, JD, an attorney with Advisory Law Group of Los Angeles and Santa Barbara, Calif., assured physicians that compliance is relatively easy and is congruent with HIPAA. Once the hand-wringing desists, a practice would be wise to see that the rule actually protects their financial interests. “Compliance with the Red Flags Rule will help prevent an individual’s healthcare record from becoming polluted with an imposter’s data,” he said.

“The rule will also serve to limit some instances in which groups will deliver services and then not be paid due to the fact that the recipient of the care was not actually the insured party or plan member,” Mr. Weiss noted.

Consequences of noncompliance
As far as the FTC is concerned, physicians were given ample time to learn about the rule. “The FTC has made several announcements about the Red Flags Rule and delayed the enforcement deadline twice. We shared this information extensively with industry groups and trade publications,” said Frank Dorman of the FTC Public Affairs Office.

What happens if a practice is still not in line with the rule at this stage? According to Mr. Weiss, “the penalty can be as high as $3,500 for each ‘knowing violation.’”

“A group’s noncompliance might be global and not just limited to a single instance, so it is conceivable that their liability for one violation might result, upon further investigation, into liability for many penalties,” he added.

How exactly does the FTC intend to enforce the rules? “We will be using many of our customary tools to look for compliance,” Mr. Dorman said. “For example, we will be looking at our consumer ID theft complaints for any patterns that reflect a disproportionate number of fraudulent accounts opened at a particular entity or in a particular sector. We may respond to complaints about specific entities.”

But given that the rule’s implementation is still in its early phases, evidence of good faith efforts at compliance will be taken into consideration. The FTC will most likely focus on creditors with a high risk of ID theft, and, in general, medical practices do not fall into that category, Mr. Dorman said.

Even if the FTC considers practices to be low risk, making the rule a reality will mean more work for physicians, Dr. Presant said. “More than ever, it’s not easy being a physician: Fighting fatal diseases, appealing to payers, explaining to patients, and now complying with even more burdensome rules-it’s all supposed to fit into a day’s work.”