[ Monday, May 24, 2010 ]


Did someone say Red Flags? Just as I was noticing the impending deadline, the AMA, AOA and Medical Society of DC have filed suit against the FTC to prevent the imposition of the Red Flags Rule against physician practices. They follow, albeit somewhat more slowly, the litigation strategy of the ABA, which has already sued and won to prevent the application of the Red Flags Rule against lawyers (the ABA case has been appealed by the FTC, so that could still change, but for the time being, lawyers aren't "creditors").

The entire issue is whether doctors should be considered "creditors" under the Red Flags Rule, since they don't always take full payment up front from patients. Obviously, they aren't like car dealers or cell phone companies, where there's an explicit lending of credit to the customer to buy the goods or services, a monthly payment plan, etc. The only reason physicians don't bill in full at the time services are delivered is that the physicians don't know at that point how much is owed or what portion of the total bill is owed by the patient, as opposed to the insurance carrier. It's really more like the difference between a restaurant that makes you pay up front before you get your food (McDonalds) and a restaurant where you eat first then get your bill (Chili's).

However, there is clearly a risk of identity theft in connection with the provision of physician services -- medical identity theft is a growing problem. Is there a link between the fact that physicians don't bill in full and the ID theft risk? I don't think so.

That said, though, I'd say it's good HIPAA hygiene for a physician practice to have an ID Theft Prevention Policy in place (which is pretty much fulfillment of the Red Flags Rule requirements) anyway. It's not that hard to do, the analysis can be done with you do your risk analysis, and the plan is easy to draft. Maybe physicians shouldn't be required to comply, but they ought to at least consider doing so anyway.

Jeff [10:46 AM]

It would be great for practices to be exempt from the Red Flag rule. Small practices are hard pressed to find resources to do the things they need. But I agree that practices SHOULD apply the principles and put protections in place. This is especially true if they use and EHR. The practice should then inform its patients of how it protects them. It is a marketing advantage over other non-compliant practices.
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template