Effective November 1, 2009, DMEPOS providers must have an Identity Theft Prevention Program (ITPP) plan in place to protect patient information. The program must include procedures to detect identity theft, prevent identity theft from occurring and minimize the damage caused if identity theft does occur.
These requirements are part of a new “Red Flags Rule” issued by the Federal Trade Commission. The law is designed to guard against medical identity theft by requiring creditors to be aware of “red flag” actions or situations which could result in identity theft.
Nearly all DMEPOS providers – including mastectomy fitters, compression hosiery and breast prosthesis providers – fall subject to the rule under its definition of a “creditor.” The FTC defines a creditor as anyone who bills patients or a third party payor after providing a service. Patient accounts receivables are also included in the rule’s definition of a “covered account.”
Healthcare providers not covered under the Rule and not required to implement an ITPP are limited to the following:
- Providers who only require payment before or at the time of service.
- Providers who accept only direct payment from Medicaid.
- Providers who accept only direct payment from programs where the patient has no responsibility for any fees.
All other providers must have a written ITPP that’s been approved by a board of directors or senior level of management in place by November 1, 2009. ITPPs should include the following information:
- An identification of red flags (suspicious activities) relevant to your practice that may result in identity theft (i.e. a patient presenting an expired driver’s license as proof of ID, or a sudden change in address without prior notification from the patient.)
- What processes or procedures you will use to detect red flags (possible attempts at identity theft) in day-to-day operations.
- A description of how you’ll respond to red flags to prevent and mitigate identity theft.
- A description of how you’ll respond to identity theft to mitigate damage to the victim.
- A detailed plan to keep your program current to address new risks and trends.
- How you’ll monitor any billing subcontractors for compliance with the Red Flags rule.
- A Red Flags rule employee training program.
If you have not yet developed your program, a sample ITPP created by the American Medical Association (AMA) is available for download at: http://www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml.
The FTC also offers an online template you may fill out and use to develop a compliant ITPP at:
www2.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf.
Affected providers who do not developed ITPPs risk being fined by the FTC, and non-compliance may be construed as a violation of Medicare’s requirement for providers to operate in compliance with federal and state regulations.
For more information, see: www2.ftc.gov/redflagsrule.–
Andrea Stark, MiraVista LLC DMEPOS Consultant, www.miravistallc.com. Ms. Stark spoke at Focus on the Future 2009.