Red Flag Rules

FTC Extends Deadline for Red Flags Rule A recent study on medical identity theft was conducted in February 2010. This study was sponsored by ExperianÞs ProtectMyID.com, and performed by the Ponemon Institute. The purpose of this research was to determine how pervasive medical identity theft is and how it has affected American consumers. According to the study, more than 1.4 million Americans have been affected by medical identity theft. This information is extremely interesting especially in light of the often postponed implementation the Red Flags Rule. The Red Flags rule, if it ever goes into effect, will require us to utilize methods of verifying the identification of each patient who presents for treatment and is utilizing insurance to pay for their care. Medical identity theft can cost both physicians and patients on a number of different levels. First, there are the direct costs to the patient. Based upon the study, the average per-patient cost to resolve an incident of medical identity theft was more than $20,000. This does not include the non-monitory costs of mental anguish, or embarrassment. In addition, 48% of medical identify theft victims lost their health coverage, 55% had to make out of pocket payments directly to the health care providers in order to regain their health insurance coverage, and 32 % experienced an increase in their medical insurance premiums. Patients often become aware of medical identity theft only after collection efforts have begun, and the debt appearing on their credit reports. The real danger with medical identity theft is not the financial cost to the patients but the potential impact it will have upon their care. Almost one third of patients stated that they found out about the identity theft AFTER they discovered errors in their medical records that were a result of this identity theft. Soon our medical records will be connected to the National Health Information Network (NHIN), and we will enjoy the advantage of having all information necessary to appropriately treat patients at the tips of our fingers. Especially in emergency situations, having this information could be the difference between life and death. But what if the information we are provided is wrong due to medical identity theft? If we treat a patient who is committing medical identity theft, we could be placing erroneous information into the victimsÞ medical record. This information will then be propagated throughout the network and will be available to every physician in the country. Patients are not the only victim of medical identity theft; the physicians providing care are also victims. If a physician treats a patient who is providing fraudulent information, it is probable that they will never be paid for the services rendered, and if they did receive a check from an insurance company, they could be asked to return those funds. The next questions that come to mind are the legal ramifications for entering erroneous information into a patients chart due to medical identity theft. The potential consequences of medical identity theft to both patients and physicians are significant. Regardless of the status of the Red Flag Rule, it is incumbent upon us to verify the identity of every patient we see to protect the integrity of our medical records and protect the health of our patients. ================================================= Hot off the press from the Federal Trade Commission: "At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance. 'Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule - and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,' FTC Chairman Jon Leibowitz said. 'As an agency we're charged with enforcing the law, and endless extensions delay enforcement.' The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring 'creditors' and 'financial institutions' to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have 'covered accounts' to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities - known as 'red flags' - that could indicate identity theft. The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010. The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date. In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm ). The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members. As was the case previously, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2)."