Seeing Red Over Red Flags
On Jan. 29, the AMA and three other associations wrote to the FTC to argue that small businesses like doctors' offices shouldn't be forced to comply with the rule, designed to combat identity theft at organizations that grant credit to customers.
In their letter, the associations noted that the U.S. District Court for the District of Columbia recently ruled that attorneys should be excluded from rule compliance.
At first there was a lot of huffing and puffing about the hassle of coming into compliance. But it's the right thing to do.
They claim it would be unfair for doctors to have to comply with a rule that lawyers don't have to follow. They say that Congress intended the rule to be applied to large business, like banks. And they claim the rule "imposes an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft."
The effective date for enforcement of the controversial Red Flags rule has been repeatedly delayed. Right now, the target date is June 1.
Meanwhile, the debate continues on whether it should ever apply to physicians, just as it applies to banks and other major creditors.
The administrator of one small physician practice in Florida argues that applying the Red Flags rule to doctors is unnecessary.
"We're doing what we should do without the government having to tell us what to do," says Nick Galantino, CEO at four-physician LoCicero Medical Group in Tampa.
For example, when a patient calls or visits the practice, the receptionist asks for more than one form of identification "to re-confirm that we have the right person's information before we talk to them," he says.
Also, the practice limits the amount of personal information displayed on bills that it mails to limit the value of the correspondence to anyone who might steal it or receive it in error. The bills list the patient's name, address and balance due, but not Social Security number or diagnosis, he notes.
Because the practice already has to comply with the HIPAA and HITECH Act security and privacy provisions, Galantino says he isn't thrilled about facing yet another regulation that requires compliance training and poses even more potential penalties for violations.
But can all physician group practices be trusted to take the precautionary steps that LoCicero Medical Group has taken without a federal regulation forcing the issue?
Meanwhile, some larger healthcare organizations already have taken steps to fully comply with the rule even though it's not yet being enforced.
Legacy Health System in Portland, Ore., believes that taking the steps that the rule requires "is just the right thing to do," says Shannon Talbert, senior consultant for corporate compliance.
"At first there was a lot of huffing and puffing about the hassle of coming into compliance," she says. "But it's the right thing to do; to be proactive in protecting health information."
Taking extra steps to protect patients' identity also can save money in the long run, Talbert argues. That's because "it forces us to take a look at accounts we'd normally write off as bad debt and pursue the bad guys stealing IDs to get treatment."
At Legacy Health, which owns six hospitals, complying with the Red Flags rule primarily involved "better organizing what we already were doing," Talbert says. For example, Legacy created a more formal process for how to identify and handle cases involving patients making multiple visits to an emergency room using fake IDs in hopes of getting a narcotics prescription.
As for whether the Red Flags rule should apply to physicians, Talbert points out that the FTC has provided guidance for simple steps that smaller organizations, such as doctors' offices, can take to comply.
An FTC how-to guide states, for example: "If identity theft isn't a big risk in your business, complying with the rule should be simple and straightforward, with only a few red flags. For example, where the risk of identity theft is low, your program might focus on how to respond if you are notified - say, by a consumer or a law enforcement officer - that the person's identity was misused at your business."
It seems to me that in light of the circuit court ruling exempting attorneys from the Red Flags rule, the FTC needs to explain to physicians exactly why they must comply.
And if, indeed, physicians must toe the line, the FTC needs to provide much more explicit guidance on the basic steps they must take to comply.
Because the FTC needs to address these issues, and more, I'm betting the enforcement deadline will be delayed yet again.
So what do you think? Is Red Flags compliance an unnecessary burden for physicians? Or is it a reasonable way to help minimize identity theft?