Useful Links

Disclaimer

  • The materials and opinions presented by the author on this blog/website are the author's views, are for educational and informational purposes only, are not intended to be legal advice and should not be used for legal guidance or to resolve specific legal problems. You understand that by reading this blog no attorney client relationship is created between you and the author. In all cases, legal advice applicable to your organization’s own specific circumstances should be sought form knowledgeable counsel. The author may change this site without notice and does not guarantee the site to be complete, correct, or up-to-date. Neither the author, publisher, or the author's firm are responsible for the content of any linked sites.

Red Flags Rule

02/02/2010

Providers ask FTC for Exception to Red Flags Rule

On Friday, a four trade associations for health care professions issued a press release announcing that they had requested the FTC specifically exempt members of their organizations from the Red Flags Rule.  You can read their letter here.  This group includes the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association.   

This request is based upon a recent federal court ruling that found the Red Flags Rules do not apply to lawyers. This ruling came out of a lawsuit filed by the American Bar Association(Hey, We control Congress and The courts, you didn't think lawyers would really have to comply did you?)  These providers argue that the court's rationale for excluding lawyers applies equally to them.   This makes sense, because the court determined that lawyers did not fit the definition of creditor and that it appeared the FTC was attempting to regulate monthly invoice billing.   Personally, I think the judge is correct.  

The ABA case and the AMA letter are worth keeping an eye on in the coming months, because the same rationale would apply to home health, hospice and private duty providers.  The FTC's rationale has always been that invoice billing amounted to an extension of credit which made you a creditor.  If a lawyer does not become a "creditor" by virtue of invoice billing, it is hard to see how a home health agency, hospice, or private duty provider would.  Hopefully, the court ruling and pressure from the AMA and others will lead the FTC to dial back the rules.

Some privacy advocates are lamenting the AMA's move in this case.  They think the Red Flags Rule is another needed tool to protect patients from the loss or disclosure of information that leads to identity theft.  In my opinion, this is not as big of a concern as some might think.  

The Red Flags Rule is more about detecting indicators of identity theft than protecting patient information from loss.  Safeguarding and securing patient information is addressed by HIPAA.  Regardless of what happens with the Red Flags Rule, HIPAA will still be in place and still require providers to protect patient's PHI. In addition, HIPAA's effectiveness has been enhanced, due to the new breach notification requirements, expansion of business associate coverage and the much steeper penalties allowed.  Increased HIPAA enforcement alone will do a great deal to curtail disclosure of patient information that leads to identify theft.  

Limiting the application of the Red Flags Rule as the AMA is requesting will not lead to less security of patient's PHI.  

Posted by Robert Markette on 02/02/2010 at 10:15 AM in Home Health and Hospice Regulations, Information Privacy/Security, Private Duty, Red Flags Rule | | Comments (2) | TrackBack (0)

11/02/2009

FTC extends the Red Flags Rule Deadline again.

Well, I checked a number of times of Friday for an announcement regarding the Red Flags rule.  When I left for the day, I assumed the deadline would not be extended, which, given the legislation pending in Congress, really surprised me.

Well, when I came into the office this morning, I found that the FTC did extend the deadline for enforcement.  It is now June 1, 2010.  You can read the FTC's press release here.

Basically, the FTC is extending the deadline, because Congress has asked it to do so.  Although, the press release notes that the U.S. District Court for the District of Columbia ruled on Friday that the Red Flags Rule does not apply to attorneys.  That case could be interesting, because it may have broader application, because there has always been an argument that the FTC's definition of Creditor was over broad.  That argument was one I felt most home care and hospice providers probably would not make, because it was cheaper to comply than to litigate with the FTC.  Especially give the FTC's recent pronouncements on compliance for entities who "know their customers."

If you have not implemented a Red Flags Rule compliance program, you now have until June 1, 2010.  I would recommend that if you do not have a program in place, you might wait until closer to June 1, 2010 to see what happens with the court case (I bet the FTC will appeal) and what the final legislation from Congress looks like.  These two factors may radically change how you address the Red Flags Rule.

Posted by Robert Markette on 11/02/2009 at 05:42 AM in Home Health and Hospice Regulations, Red Flags Rule | | Comments (2) | TrackBack (0)

10/30/2009

Red Flags Rule Deadline Approaches

With November 1 just around the corner, I thought it was a good idea to remind everyone that the Red Flags Rule deadline is November 1 (although since that falls on a Sunday, it is effectively November 2).  This deadline has not yet been extended (as of the moment I posted this).  

Earlier this week I mentioned legislation that had been passed by the House of Representatives  in response to the "overreaching" by the FTC.  According to this article, that legislation has stalled in the Senate.  This legislation would have only exempted out entities with fewer than twenty employees, which would not have helped most home health or hospice providers. However, the legislation did create an "opt out" avenue that would have allowed certain businesses to petition for an exemption.  The article speculates that the FTC might extend the deadline to give the Senate a chance to act, but that is not at all certain.

It appears that by the time this legislation passes, the compliance deadline will have passed.  At that point, most providers will probably not bother considering whether to apply for an exemption, because they will have already put their policies and procedures into place.

If you haven't started your red flags compliance effort yet, now is a really good time to start implementing policies and procedures.  

Posted by Robert Markette on 10/30/2009 at 09:39 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

10/26/2009

Congress Acting on Red Flags Rule

The House of Representatives passed an interesting bill last week.  It would limit the application of the Red Flags Rule, by excluding certain small businesses.  The bills sponsors felt that the FTC had over reached with the regulations it passed and that the Rules needed to be dialed back.  The sponsors stated that requiring small businesses to comply with the Red Flags Rule was not necessary, because the risks were lower than for large corporations with thousands of customers.  They also felt that the costs associated with compliance were unduly burdensome for small businesses.

The bill itself specifically excludes health care practices, law firms, and accounting practices with fewer than twenty employees from complying with the rule.  The statute also gives the FTC the authority to create a process allowing certain other businesses to apply for exclusions.  A business may apply for an exclusion if it 1) knows all of its customers or clients individually; 2) only performs services in and around the residences of its customers; and 3) the business has not experienced identity theft and identity theft is unusual for businesses of this type.  This sounds a lot like home care and hospice.

This bill must still pass the Senate, but if it does, small business will have a reprieve.  If you have more than 20 employees, you may still have a way out, by applying for an exclusion.  Of course, we will have to wait and see what the FTC's regulations on applying for an exclusion look like.  However, the statute makes it seem very likely that providers in the homecare and hospice industry would have a good chance of obtaining an exclusion.

One other point, reading the sponsor's comments, he specifically thanks the FTC for delaying implementation of the Red Flag Rule until Congress could act on this issue. It is not clear if he is referring to the extension of the deadline to November 1, or if he is indicating the FTC will further delay enforcement of the Red Flags Rule.  With November 1 fast approaching, we will keep watching the FTC website and let you know.

Posted by Robert Markette on 10/26/2009 at 06:06 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

07/29/2009

FTC delays Red Flag Rule to November 1

In order to provide more time to "educate" small businesses, the FTC is delaying enforcement of the Red Flags Rule to November 1, 2009.  The FTC believes smaller providers are unsure of their obligations and will be promulgating additional guidance.

The announcement references a FAQ in which the FTC states "that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft." 

This reinforces what I have said in the past - complying with this rule is not going to be that burdensome.  (The fact that the FTC says they would be unlikely to take action does not mean you should completely ignore this.) It will be interesting to see what the additional guidance states, I doubt they will simply say certain providers can ignore the rule, but this seems to indicate they will try to reduce the burden further. 

Read the announcement here.  I will post the guidance as soon as its available.

Posted by Robert Markette on 07/29/2009 at 08:50 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

07/08/2009

Less than one month until Red Flags Rule Deadline

I know, you've heard this one before, but the Red Flags Rule deadline is currently set for August 1.  This means you have less than a month to finish putting your plan together.  As I have said before, for home health and hospice compliance won't be that difficult.  The FTC has even acknowledged that for providers who routinely see their clients, compliance with the Red Flags Rule should be relatively simple. See here.  (Note, I said relatively simple, not simple.)


With the deadline approaching, I thought you would appreciate this story. It is a story about the wrinkles that hospitals are discovering as they implement their Red Flags Rule policies and procedures.  The story is interesting for two reasons, one the case of a red flag that led the hospital to identify a patient who actually thought he was someone else.  The patient was using his cousin's name, not to take advantage of his cousin's insurance, but because he thought he was his cousin.  The hospital learned of it when the cousin called to complain about a bill.  The point is that this is another example of how a Red Flag might indicate something other than identity theft.

The other interesting point in the article is the discussion of whether a home health agency or other post-acute care provider can assume the hospital has properly identified the patient.  In my opinion, you cannot make that assumption.  Not surprisingly, the person interviewed in the article drew the same conclusion.  They then discuss what options they have for identifying patients.  

Posted by Robert Markette on 07/08/2009 at 01:57 PM in Red Flags Rule | | Comments (0) | TrackBack (0)

05/06/2009

Red Flags Rule: Clarification on Creditors and accepting Medicaid

The FTC recently published a guidance document for the Red Flags rule as it pertains to health care providers.  It is available on the FTC's website.

The article reiterates that being paid for services after they are provided falls into its definition of Creditor.  The document does specifically discuss how Medicaid or similar programs fit into the FTC's analysis of credit and creditors.

According to this new guidance document, if you only accept payment from Medicaid or similar programs (Medicare for example), where the patient has no responsibility for payment you are not a creditor.  Responsibility for payment would include co-pays, spend downs, deductibles and any other charge to the patient.  

This means Medicaid/Medicare home health and hospice agencies who do not accept any private pay patients or patients with co-pays or other responsibility for payment might avoid being a creditor under this rule. This may be the first guidance from the FTC that actually excludes a group from the definition of creditor.

The converse of this definition is that if you have Medicaid patients who have a co-pay or spend down, the FTC most likely still considers you to be a creditor under this rule, because the patient would have responsibility for payment.  Whether the FTC considers you a creditor will hinge upon when the patient pays the co-pay.  If you allow the patient to pay the co-pay after you start providing services, the FTC would still consider you a creditor. 

For patients that have a Medicaid spend down, the issue would be the same.  Providers who have patients with spend downs could bill the patient each month in advance of services to avoid being a creditor, but in my experience, most providers bill for spend downs as late in the billing cycle as possible in the hope that their claim will "hit" after the spend down is met by services from other providers.  This makes the Medicaid provider a creditor according to the FTC.

This effectively leaves most Medicaid providers who have any patients with spend downs in the same boat as private insurance, your routine claims processing/billing practice is clearly considered an extension of credit by the FTC.  (Don't shoot the messenger.  I am not saying I agree, just letting you know the opinion of the regulators.)

For home health and hospice providers who only bill Medicaid, Medicare or similar programs without any client responsibility, this clarification appears to relieve you from any compliance obligation. (Again, only if you do not have any private pay clients that you bill or any private insurance clients that have deferred payment or Medicaid patients with a spend down.)  

If nothing else, it is nice to see the FTC acknowledging that accepting Medicaid/Medicare payment in cases without client responsibility is not a credit transaction.  It is a narrow exception, but it is a start.  The FTC now has a dedicated Red Flag Rule section on it website and will likely issue even more clarification in the coming months.  

Posted by Robert Markette on 05/06/2009 at 05:40 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

05/01/2009

Red Flags Rule Deadline Extended to August 1, 2009

The FTC announced yesterday that it was extending the Red Flags Rule compliance deadline to August 1, 2009.  You can read the announcement here.  The announcement notes that extending the deadline will give trade associations more time to provide education to their members and give the FTC time to issue a template to help "low risk" entities comply with the law.  The announcement describes entities with a low risk for identity theft as those entities who know their client's personally.  Hmmm, that seems familiar.


The announcement also says the FTC thinks this will give Congress time to further consider the application of this rule.  It seems to me the FTC could change its position on who is a creditor without any effort from Congress, but the FTC is pointing the finger back to Congress.  The announcement reiterates the FTC's position that if you provide services and bill later you are a creditor.  

The FTC chairman says congress can reconsider the application of this rule, but I am unaware of any efforts in Congress related to the Red Flags Rule.  It seems unlikely that the FTC will change its position on who is or isn't a creditor, especially when the announcement lays that issue back at Congress's feet and reiterates the FTC's position.  

If nothing else, the template the FTC is putting together will provide additional guidance to low risk entities like home health, private duty and hospice providers as to what the FTC thinks a Red Flags program should look like.    

Posted by Robert Markette on 05/01/2009 at 09:53 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

04/27/2009

Red Flags Rule Coverage

With just a little less than a week left until the Red Flags Rule deadline arrives, I wanted to touch on one topic that keeps coming up in conversations about the rule.  I keep having people ask if they are not covered because they only offer private pay services or because they only offer non-skilled services, or because they are not a service provider at all.  The problem with that is that the Red Flags Rule does not really care what type of provider you are of even if you are a provider.

You will need to comply with the Red Flags Rule is you are a "creditor" as that term is defined in the regulations. (I touched on this a little in this post, but did not really explain coverage.)

The Red Flags Rule defines a creditor as "any person who regularly renews, extends, or continues credit; any person who regularly arranges for the extension, renewal,or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit”.  The FTC has interpreted the phrase credit to mean any situation where an individual or entity provides a good or service, but does not receive payment for the good or service at the time the good or service is provided.

In other words, the FTC considers a creditor to be any entity that bills a customer, client, or patient for services after the service is provided. (This includes doctors, lawyers, etc.)  The FTC has interpreted credit to include providing services and then billing insurance for the services.  This means the FTC considers billing Medicare/Medicaid (where the patient has some responsibility for payment, see this post for details on recent guidance from the FTC), and private insurance to be the extension of credit for purposes of this rule.  (No, it does not make a lot of sense, I am simply relaying the interpretation.)

If you fit into this definition of creditor, then you are a subject to the red flags rule, regardless of the services your provide.  This means you will need to comply with the rule and implement policies and procedures related to your "covered accounts".  For help on complying with the rule, you can look here.

I am going to be taping a webinar through the Home Care Information Network later this week that should be available next week.  If you still do not understand the rule, you can check their website for information on viewing the webinar.  I mention this primarily, because I know that the other home care information sources have already done their teleconferences and so their may not be any other source for education on the matter if you did not get in on one of the others.  

Posted by Robert Markette on 04/27/2009 at 06:11 AM in Red Flags Rule | | Comments (0) | TrackBack (0)

04/23/2009

FTC enforcement vs. HHS/CMS enforcement and the Red Flags Rule

With the proposed PHR breach rules being published, the FTC is now in the health information privacy enforcement realm.  I read an interesting article today discussing the differences between how the FTC enforces identity theft and financial privacy issues and how HHS and CMS enforce privacy issues.  The article is focused on the impact for providers of PHR (personal health records) of the new PHR breach rule, but it discusses how the FTC is coming to be more and more involved in privacy enforcement and how that may shock the provider community.  

Until recently, HHS has been the primary enforcer of privacy issues in health care (The PHR rule is the FTC's first foray into this realm).  As the primary enforcer, the Office of Civil Rights within CMS has focused primarily on getting providers who have a breach into compliance and has, for the most part, foregone fines and penalties.  Providers have grown accustomed to this approach, although there have been recent signs that, after 5 years or so,  this approach was starting to change.  

For providers that have grown accustomed to this approach, this article indicates that providers should not expect the same "cooperative" approach when dealing with the FTC.  The article emphasizes that the FTC is a "far more aggressive enforcer" than CMS/HHS on privacy and related issues.  The article points out that the FTC brings more enforcement actions and is a very active agency when it comes to enforcement of privacy and identity theft   

For most providers this "far more aggressive" posture is most likely to be seen in the context of the Red Flags Rule.  The FTC may be moving into more areas of health information privacy, but for now the FTC's primary authority over homecare (including private duty), hospice, and other providers is through the Red Flags rule. 

The FTC's enforcement history in these areas shows that it is more inclined to seek penalties from violators instead of pursuing efforts to assist them with compliance.  Providers should recognize this and not be surprised if the FTC's response to a Red Flag issue is "enforcement" instead of "cooperation."  For the FTC, aggressive enforcement appears to be the norm.  There may not be an initial period where the FTC overlooks a violation and allows a provider to fix things after the fact.  This should cause providers to be more focused on Red Flags rule compliance and getting their policies and procedures into place.  

There were several years between the HIPAA Privacy Deadline and the first penalty assessed under HIPAA.  Even then, the penalty was assessed in a very egregious case.  Providers should not expect that the FTC will grant a similar "honeymoon" period under the Red Flags Rule.

Posted by Robert Markette on 04/23/2009 at 06:12 AM in Red Flags Rule | | Comments (0) | TrackBack (0)