Avoid Federal Fines
Before The May 1 Deadline
governmental office,
not-for-profit organization, or are a healthcare provider
and have client accounts,
YOUR ORGANIZATION IS COVERED...
Effective November 1, 2008, the United States Federal Trade Commission (FTC) adopted regulatory language requiring various entities, including businesses, not for profit organizations, and governmental units to create policies and procedures to address detection, prevention, and mitigation of identity theft for “covered accounts”.
Enforcement of this regulation is to commence May 1, 2009.
Identity theft is basically any case of actual or attempted fraud using identification information of another person. Medical identity theft is a sub-set of identity theft and involves the fraudulent obtaining of medical services using identification information of another person or persons.
What is the “Red Flag” Regulation?
The regulation requires all covered entities to:
Who Is Required To Comply?
Any business, government unit, or not-for-profit organization -- regardless of size -- is considered a "creditor" and is required to comply if it maintains customer "accounts" for individuals. All of these accounts may not be covered, but if ANY accounts are covered, you must comply. If you issue credit cards or utilize consumer credit reports in issuing or collecting accounts, you also must comply.
To be a covered account, it must bill for services or products after they are rendered or delivered or involve financial information that would be capable of harming the client or the organization if identity theft were to occur.
You may also fall into the provisions for Consumer reports if you request credit reports and background checks on your employees as required for healthcare personnel in many states.
Why does the regulation apply to physicians, clinics, and hospitals?
Most healthcare providers are covered by these regulations, even though they are not used to being regulated by agencies like the Federal Trade Commission that deals more with consumer fraud or those that typically regulate financial institutions. Most healthcare providers fall under the law due to its definition of Creditor which applies to personal accounts that are paid after the service is rendered or which are intended to be paid in installments.
Most healthcare accounts or charges are not paid in advance of service, but even if a provider generally provides care on a pre-paid basis, accepting patient payments plus insurance payments amounts to a multiple payment account that would make the provider subject to the Red Flag regulations.
Not-For-Profit and Government Entity Organizations:
The FTC position has been consistently to apply for-profit rules for those portions of not-for-profit operations that are basically commercial in nature – specifically, billing and accounting practices. Healthcare providers organized as not-for-profit operations, such as some hospitals and federally qualified clinics, are therefore still liable for compliance.
Similarly, state, county, city, and special district owned facilities or practices would be subject to the regulation, as the FTC specifically has extended its enforcement to governmental units as well.
How Complicated Is This?
The regulation itself does not set out the operational details for every business or healthcare provider, instead the rule requires an analysis of risks in each business or practice and allows a compliance response that is reasonable to the size of the business and the degree of Identity Theft risk in the business or practice. Larger practices or hospitals will require more detailed and sophisticated policies and procedures, while smaller offices and hospitals will require only basic policies and procedures.
Fortunately, many of the issues raised by the Red Flags are similar to HIPAA patient privacy and Security type issues that most healthcare providers are now very familiar with. Banks, lending companies, and companies that use consumer credit reports have more demanding compliance requirements than most small to moderate-sized healthcare practices.
Most small hospitals, offices, and clinics can be ready to present their compliance program to their Board for approval in 24 hours or less. Staff training will require additional time after the policies and procedures are approved.
What Is Included In The Toolkit?
1. Self-displaying PowerPoint™ AV training program on the Red Flag process(PPS) – START HERE . This Audio-Visual program provides a quick overview of the Red Flag compliance program and how to use this Toolkit. This simple and direct overview helps you get started with the process without getting bogged down details that aren’t applicable to your situation.
2. Self-displaying Power Point ™AV training program on Medical Identity Theft and Red Flags(PPS) – STEP TWO. This Audio-Visual program provides you with an educational tool for your compliance team, staff, and Board to understand the basics of the Medical Identity Theft issue and Red Flag requirements. This presentation is a good starting point for your presentation of the policies and procedures to the Board and later to staff.
3. Red Flag Compliance Checklist (PDF) – STEP THREE. This tool will help you quickly identify necessary tasks in the compliance process.
4. Red Flag Worksheet(PDF) – STEP FOUR. This tool lists all 26 FTC sample Red Flags plus nationally recommended Red Flags for typical healthcare providers. You will select Red Flags that apply to your healthcare practice or hospital. It also asks questions to help identify other compliance elements for customizing the Red Flag policies and procedures to your own office, clinic, or hospital.
5. Sample Red Flag Compliance Policies and Procedures (PDF) – STEP FIVE. This tool gives you an overview of how a simple, compliant, and effective policy and procedure may be laid out and helps you understand how the Worksheet elements influence the content of the policies and procedures.
6. A working copy of the Red Flag Compliance Policies and Procedures (DOC) – STEP SIX. This is a file in Microsoft Word™ format (.doc) that allows you to modify the sample policies and procedures to create a policy and procedure draft for legal review and approval of your Board.
7. A complete copy of the Federal Register official version of the regulations (PDF)– This resource provides you with the official explanation and language for the regulation.
Who Prepared These Tools?
These tools were prepared by Stephen A. Frew JD, Vice President -- Risk Consultant for Johnson Insurance Services, LLC. of Madison, WI. for clients of Johnson Insurance and Johnson Bank. Steve is a nationally known speaker, author, and consultant on risk and compliance issues in healthcare and a Certified Identity Theft Risk Management Specialist.
Why Are You Making Them Available To The Public?
After making these tools available to our own clients, we saw the need for these tools nationally in many lines of business, and in the few weeks remaining before the compliance deadline decided to make these tools available to non-clients. We are offering a special version for healthcare providers and a Business Edition for all other types of organizations.
How Do I Get A Copy Of The Toolkit?
If you are a client of Johnson Insurance Services, LLC. in Wisconsin or Arizona, contact your Johnson agent directly to receive a copy of the FTC Red Flag Toolkit.
If you are not a Johnson client, click on the icon below and you will be taken to the order page.
