|
|
|
FAQs
FOR THE MEDICAL & HEALTH CARE INDUSTRIES
Why is the Medical & Health Care Industry required to abide by a FTC ruling ...
when they normally fall under the jurisdiction of the Department of Health and Human Services? |
| |
The medical industry is required to abide by the FTC's Red Flags Rule to protect their patients because in certain circumstances they fall under the definition of a "creditor". These circumstances include allowing patients to pay for products and services after they have received them and/or by accepting insurance on behalf of their patients, but ultimately expecting their patients to be fully responsible for the debt should the insurance company decide not to pay. |
| |
| What is being done to prepare the Medical and Health Care Industry for the Red Flags Regulations? |
| |
The FTC has sent out bulletins detailing the Red Flags Program and who is required to comply. Medical Associations have clarified and asked for specific instructions and have sent this information to their members. Legal firms that represent medical providers have also issued compliance instructions and details. Finally, the FTC has issued a six-month delay to allow medical providers and other "creditors" time to hear about the Red Flags Rule, get their programs developed and their training implemented. |
| |
| Is a written & Board approved Red Flags Program required if we are HIPAA compliant? |
| |
Yes! HIPAA Compliance is separate and distinct from your Red Flags Compliance. Although the two do overlap in some areas, it's still necessary to be fully Red Flags compliant by the May 1st, 2009 deadline. HIPAA is governed by the Department of Health and Human Services. Its basic function is to maintain the privacy of the health records of individual patients. The Red Flags Rule is governed by the Federal Trade Commission (FTC) and 5 other federal organizations but enforced by the FTC. The Red Flags Rule focuses on the personally identifiable information of individuals with a laser focus on their financial information. The FTC enforces consumer rights. |
| |
| Can our HIPAA compliance officer also be our Red Flags compliance officer? |
| |
Yes. Your Red Flags Program must be managed by either your Board of Directors or senior executive employees who can designate your HIPAA compliance officer to also be your Red Flags compliance officer. |
| |
|
If a medical facility outsources their billing or other services, who is responsible for the safety of the patients' personally identifiable health and financial information?
|
| |
Institutions will be held responsible for their Red Flags compliance and they must ensure their third-party service providers meet the same standards of data protection. This means that your business is ultimately responsible for complying with the Red Flags Rules and Guidelines even if it outsources an activity to a third-party service provider. |
| |
| What if a doctor changes practices, moves or changes specialties? |
| |
The medical records that remain with the original Practice are the responsibility of that Practice while the newly generated records, in the doctor's new practice are the responsibility of the new Practice. |
| |
|
What is the responsibility of a medical facility to a patient's aged medical records?
|
| |
 A medical facility is responsible for keeping patients records safe and protected for as long as they are required to keep them. The key to this question lies within the disposal process of the aged records. A facility is responsible for the proper destruction and disposal of all personally identifiable information of both their consumers and their staff and employees.
|
|
|
 A warning signal
Something that demands attention
According to the Federal Trade Commission's (FTC) regulation, a Red Flag is a specific activity that could signal the danger and probability of identity theft. It draws your attention to the possibility that there is a risk to the safety and security in your policies or procedures.
|
| |
| What is the Red Flags Rule? |
| |
The Red Flags Rule is an amendment to the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Its purpose is to hold businesses responsible for protecting consumers' information safely against identity theft. |
| |
| What is a Red Flags Program and what does it include? |
| |
A Red Flags Program provides for the identification, detection and response to patterns, practices or specific Red Flag activities that indicate conditions are possible for identity theft or that a form of identity theft has just occurred.
|
| |
| What is the purpose of a Red Flags Program? |
| |
A Red Flags Program is the government's way of holding businesses accountable to the more than 48 billion dollars being lost annually to identity theft and fraud. With a fully compliant Red Flags Program in place businesses should better protect consumers while they identity, detect, prevent & mitigate fraudulent and deceptive acts. |
| |
| Who must comply with Red Flags Requirements and by when? |
| |
The Red Flags Rules applies to businesses and organizations that hold customer transaction accounts. This includes doctors' offices and medical facilities, hospitals, auto and motorcycle dealerships, health clubs, furniture stores, mortgage, utility, and cell phone companies, financial institutions and creditors with "covered accounts". The compliance deadline for financial institutions was November 1st, 2008 and the new enforcement date is August 1st, 2009 for most other businesses. |
| |
| What is a creditor under the Red Flags Rule? |
| |
A creditor" is someone who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors. In other words, if your practice or business allows your patients/consumers to receive products or services and pay later, then you're a creditor under the FTC's definition.
|
| |
| How is a Red Flags Program created? |
| |
A Red Flags Program begins with an audit and assessment of a business' current policies and procedures for each individual location. Then a thorough Red Flags checklist is reviewed and protective policies and procedures are written, approved by the business' Board of Directors or by a governing executive if there is no Board of Directors. Once approved, employees and staff are trained and on-going education is mandated to maintain changes in the tactics and schemes of the identity thieves. |
| |
| How long will it take to prepare a Red Flags Program? |
| |
The time involved to prepare your program depends on the size, number of locations and complexity of your accounts and transactions along with the current policies and procedures of your business. Implementing your Red Flags Program could take you a few days or even a month or more to facilitate all of the facets mandated and required by the FTC. These times are dependant upon the current knowledge and understanding of the team tasked to complete this project and their commitment to better protect your business, patients and consumers. |
| |
| Who are the governing agencies of the Red Flags Rule? |
| |
The final Red Flags Rule was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) with the FTC assigned as the governing body.
******
|
| |
| Does the FTC have the power to force our office to comply with the Red Flags Rule? |
| |
Yes! The FTC has a $250 million annual budget, subpoena power and the ability to refer cases to the Justice Department for prosecution. For specifics, read on ...
The Commission may "prosecute any inquiry necessary to its duties in any part of the United States" (FTC Act Sec. 3, 15 U.S.C. Sec. 43) and may "gather and compile information concerning, and to investigate from time to time the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce...
The Commission's specific investigative powers ... authorize investigations and various forms of compulsory process, until the requested information is provided, thus effectively enabling the Commission to obtain information regarding such acquisitions.
The FTC Act authorizes the Commission to "require by subpoena the attendance and testimony of witnesses and the production of all such documentary evidence relating to any matter under investigation" ... More at www.ftc.gov/ogc/brfovrvw.shtm
|
| |
| Example of a recent FTC Ruling on a Database breach ... |
| |
At Least 800 Cases of Identity theft Arose From Company's Data Breach
Consumer data broker ChoicePoint, Inc., which acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. Can your business, organization or practice afford more than $93 per name in your database to ignore complying with the Red Flags regulations for only one breach in your office? |
| |
| What happens if our practice doesn't comply? |
| |
If your practice doesn't comply you may be subject to:
- Civil Financial Penalty Per Violation
- Increased Legal Expenses
- Heightened HIPAA Evaluation & Scrutiny
- Lowering of Examination Rating
- Increased Liability Insurance
- Cease and Desist Orders
- Loss of Credentials
- Privileges Revoked
- Consumer Lawsuits
- Negative Publicity
- Loss of Patients
- Loss of Practice
|
|
|
For easy, proven results on how to fully implement your FTC mandated Red Flags Program contact
your local Red Flags Field Agent at 443.804.7787.
You are guaranteed to save money and time in the construction and implementation of a quality
program that best protects your patients and your Practice.
|
