Description
Attached is the article that i need a summary of. Need a good grade on this. Make it at least 1 page long.Thanks,
Unformatted Attachment Preview
Practice Management
HemOnc today | APRIL 25, 2009 | HemOnc Today.com
35
LEGISLATIVE & REGULATORY ISSUES
Federal identity theft prevention rule
Will health care providers be liable for failure to
establish identity theft prevention programs?
by Nancy L. Perkins, JD
Health care professionals are potentially at risk of
federal sanctions if
they are not ready to
implement a written
program to prevent
identity theft by
Nancy L. Perkins
May 1, 2009. According to the Federal Trade Commission, health care providers who regularly bill patients for services after they
are rendered are “creditors” within the
meaning of the Fair and Accurate Credit
Transactions Act of 2003 (FACTA),
and thus must establish a comprehensive Identity Theft Prevention Program
as required by the FACTA “Red Flags”
anti-identity theft regulation.
In an Enforcement Policy statement issued in October 2008, the FTC
acknowledged that many entities subject to its jurisdiction, including members of the health care industry, were
unaware they could be categorized
as “creditors” under this rule. To give
them more time to come into compliance, the FTC extended by six months,
until May 1, 2009, the date for its enforcement of the rule. However, despite
vigorous protest by members of the
health care community, the agency remains insistent that the rule applies to
many health care professionals and that
they must comply by that date.
Community backlash
The American Medical Association
and a large group of other medical associations believe the FTC’s position with
respect to coverage of health care professionals is misguided and also object to
the manner in which the agency promulgated the Red Flags Rule. They wrote to
the FTC last year to voice their objections
and subsequently met with commission
staff to discuss their concerns. After that
meeting, in a letter dated Feb. 4, 2009, the
acting director for the FTC’s Bureau of
Consumer Protection rejected the AMA’s
views and stated, in no uncertain terms,
that health care professionals may be
“creditors” within the meaning of FACTA and thus subject to the rule. According to the FTC, the “plain language and
purpose” of the Red Flags Rule dictates
that health care professionals are covered
by the rule when they “regularly defer
payment for goods or services.”
The FTC’s position is based on
FACTA’s definition of “creditor” as “any
person who regularly extends, renews,
or continues credit; any person who
regularly arranges for the extension, renewal, or continuation of credit; or any
assignee of an original creditor who
participates in the decision to extend,
renew or continue credit.”
Under FACTA, “credit” means “the
right granted by a creditor to a debtor
to defer payment of debt … or to purchase property or services and defer
Health care providers who regularly bill patients for
services after they are rendered are “creditors” within the
meaning of the Fair and Accurate Credit Transactions Act
of 2003.
payment therefore.” According to the
FTC, because many health care professionals regularly bill their patients
or other clients for their services after
those services are rendered, they clearly meet the FACTA definition of “creditor.” Indeed, the FTC argues, Congress
would have had to exclude health care
professionals explicitly from FACTA’s
definition of creditor for them to be exempt from the Red Flags Rule.
Significance for industry
The FTC’s interpretation of the Red
Flags Rule has widespread significance for
the health care industry, as the AMA and
the other medical associations involved
in the debate clearly recognize. In a Feb.
23, 2009, response to the FTC’s February 4 letter, the AMA accused the FTC
of imposing an “unjustified, unfunded
mandate on physicians” and warned that
subjecting health care providers (including hospitals) to the rule could have “serious adverse consequences on patients’
access to our health care delivery system
and services.” The AMA argued that the
health care claims process is not a “deferral” of payment process; rather, it is a
contractually governed system of obligations among patients, health insurance
carriers, and physicians, all overlaid by
federal and state requirements for prompt
Nancy L. Perkins, JD, can be reached at Arnold & Porter LLP, 555 12th St. NW, Washington,
DC 20004-1206; 202-942-5065; e-mail: nancy.perkins@aporter.com.
HOT0409b-pgs32-44.indd 35
payment. The AMA also claimed that the
FTC failed to comply with the federal
Administrative Procedure Act by adopting the Red Flags Rule without explicitly
stating that health care providers who allow deferred payment for their services
were “creditors” under the rule. To date,
the FTC has not publicly responded to
this AMA correspondence.
Given the impending compliance
deadline and the absence of any indication that the FTC will change its position regarding health care professionals,
the immediate questions for members
of the health care community are (1)
whether they meet the rule’s definition
of a “creditor” and (2) if so, what they
need to do to come into compliance
with the rule by May 1, 2009.
On the first question, health care
professionals — including hospitals,
clinics, physicians, etc — should conclude that they are “creditors” if they
regularly provide products or services
to one or more persons without first receiving payment. On the second question, the answer depends to a large extent on the nature of the “accounts” the
“creditor” maintains with respect to the
deferred payment.
Under the rule, those accounts
(termed “covered accounts”) must be
carefully guarded through a variety of
measures to protect against the risk of
identity theft to the person whose payment was deferred. Those measures
must be detailed in a written Identity
Theft Prevention Program that is approved by the creditor’s board of direc-
tors or committee thereof (or, if there
is no board of directors, a designated
employee at the senior management
level) and implemented, administered
and overseen by senior management
on a continuing basis.
In connection with its program, each
“creditor” must establish policies and
procedures to (1) identify any pattern,
practice, or specific activity that indicates the possible existence of identity
theft risk, (ie, red flags); (2) detect those
red flags through vigorous monitoring;
(3) respond appropriately to any red
flags detected (ie, take steps to prevent
identity theft from occurring or to mitigate its harm); and (4) ensure that the
program is updated periodically, to reflect changes in possible risks or in the
accounts themselves.
Prevention program
The rule provides a nonexclusive list
of 26 examples of red flags that a creditor should consider including in its
program. Although the 26 examples do
not specifically refer to medical information, as the promulgating agencies
explained, “creditors in the health care
field may be at risk of medical identity
theft (ie, identity theft for the purpose
of obtaining medical services) and,
therefore, must identify red flags that
reflect this risk.”
Both to ensure accuracy in determining whether, and to what the extent, the
Red Flags Rule applies and in designing
and implementing an appropriate Identity Theft Prevention Program, input
from legal counsel is critical to ensure
compliance. Any loopholes in the required compliance measures could result in substantial federal penalties. Further, although there is no private right of
action to enforce the rule, its standards
could potentially be used as a basis for
claims of violations (including class action claims) of generally applicable state
consumer protection laws.
■
FAST FACTS
Issues at Hand
1
2
3
The Federal Trade Commission has announced that health care providers who
regularly bill patients for services after they are received are considered
“creditors” by the Fair and Accurate Credit Transactions Act of 2003.
Despite debate from the AMA against this ruling, health care professionals
categorized as “creditors” have until May 1, 2009, to establish an Identity Theft
Prevention Program.
If health care professionals who are considered “creditors” according to this act
do not establish an Identity Theft Prevention Program by the deadline, they
may be subject to substantial federal penalties.
4/8/2009 2:12:05 PM
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.
Purchase answer to see full
attachment
