MEDAC BILLING & COMPLIANCE ALERT
October 30, 2009

By: Bellinger P. Moody, RHIA, CPC, CPC-I, CCP
Executive Vice President of Compliance

Red Flag Identity Theft Rules

Effective November 1, 2009, the FTC mandated Red Flag Rules for health care providers become enforceable.

In compliance with these rules, Medac, Inc. has adopted new policies and procedures to identify and avoid risk factors in patient accounts.  One significant risk factor is patient identity theft – specifically in the processing of patient credit card information.
Therefore, effective November 1, 2009, the following new Medac policies become effective:

• Medac, Inc. will no longer accept any written credit card information via e-mail, fax, or scanned documents;

• Medac, Inc. will no longer file or retain any written patient credit card information;

• Medac, Inc. will supply all clients with written policies and procedures for processing patient credit card transactions within Medac, Inc. operations;

• Medac, Inc. will supply all clients with written policies and procedures for processing patient credit card transactions for prepayments in the clients’ offices;

Additionally, Medac, Inc. has established a secure Medac Patient Portal for processing online credit card and check transactions.  Medac management will be contacting appropriate personnel to review these policies and train them on new protocols.

The Red Flag Rules only apply to healthcare practices with 20 or more employees. According to a recent article published on October 26, 2009 by Dom Nicastro, for HealthLeaders Media – “On Tuesday, October 22, the House of Representatives unanimously passed a billed that exempts healthcare practices with 20 or less employees from the Federal Trade Commission’s (FTC’s) identity theft Red Flag Rules requirement.  Further, the bill lets off the hook any entity that:

• Knows all of its customers or clients individually;

• Only performs services in or around the residences of its customers;

• Has not experienced incidents of identity theft and identity theft is rare for businesses of that type;

The FTC would determine if a business meets these criteria.  The bill moves on to the senate next.” 

Therefore, it is safe to say that if you have 20 or less group members in your practice, you are exempt from the Red Flags Rule, which again, will be enforced starting November 1, 2009, and will require healthcare entities considered to be “creditors” to implement an identity theft prevention program.  If you meet the criteria for Red Flags Rule enforcement and have not yet received the Medac designed “Red Flag Identity Theft Compliance Program” – specified in one of my previous alerts dated and entitled, April 8, 2009 “Medac Billing & Compliance Alert – Red Flag Identity Theft Compliance Program Now Available”-- please contact me via e-mail or phone and we will get it out to you immediately.

The information presented herein reflects general information that is current as of the date it is first published.  In light of changes that may occur in the health care regulatory and compliance environments, the author's presentation of this information and any general advice previously published might become outdated.  Please check with your individual legal and/or compliance advisor(s) prior to taking any significant actions based upon the information and advice presented.