Protect your Patients, Protect Your Practice: What You Need to Know about the Red Flags Rule
Compliance Date: June 1, 2010
Update: The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until June 1, 2010. The AMA will utilize this time to convince the FTC and Congress to republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program.
In Nov. 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. Originally scheduled for a Nov. 1, 2008 compliance date, the FTC has now delayed the enforcement date of the Red Flags Rule until June 1, 2010. The new compliance date of June 1, 2010, which follows three earlier extensions to May 1, August 1 and then later to Nov. 1, is a result of continued advocacy by the AMA and others who continue to object to the applicability of this Rule to health care providers and other professionals.
Since the Rule was issued, the AMA has objected to the FTC's interpretation that physician practices are "creditors" when they accept insurance and bill patients after services are provided or if they allow patients to set up payment plans after services have been provided. The FTC states that this delay is intended to "give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs."
While the AMA intends to continue to make the case to Congress and the agency that the FTC should republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program, the AMA has prepared a guidance document, along with sample policies, so that members can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies.
Red Flags Rule Guidance Document
This informative resource addresses the following questions:
- What is the purpose of the Red Flags Rule?
- How do the rules differ from HIPAA Privacy and Security Rules?
- Who has to comply with the Red Flags Rule?
- What is a “Red Flag”?
- How can physician practices comply with the Red Flags Rules?
This resource includes simple, customizable policies and procedures to incorporate into your practice in order to comply with the requirements of the Red Flags Rule that entities have reasonable policies and procedures in place to identify, detect, and respond to Red Flags. Also included in this policy is the FTC's Identity Theft Affidavit , which can be used by patients who may be victims of identity theft.
AMA member's can access the Word version of the Sample policy (Word) and adapt it to their individual practice.
FTC's frequently asked questions about the Red Flags Rule: "Fight Fraud with the Red Flags Rule: A How-To Guide for Businesses"