M2 Power Inc
Home & BlogThe BookServicesReferralsReferencesAbout UsContact Us

This site  The Web 

The Blatant Truth About Ownership

 

A compelling discussion for owners of clinical and non-clinical organizations involved in the health care field

Archive Newer | Older

Wednesday, April 8, 2009

 Red Flag Rule: What Do You Do?

 

Red Flag Rule: What Do You Do?

 

Many medical practices have been asking about what it is that they need to do in order to comply with the FTC regulation nicknamed “The Red Flag Rule” due November 1st.  More importantly the real request is how to comply in the most cost effective, efficacious, and time efficient way possible.

 

The Federal Trade Commission passed this regulation known as FACTA and nicknamed “Red Flag” on January 1st 2008.  The compliance date was set for November 1, 2008 and then delayed till November 1st 2009.  The medical industry lobbies have been demanding that health care be exempt from the ruling but as of February, 2009 the FTC stated it will not.  Since the FTC is not the same as CMS, HHS, or the OIG, the assumption that they may offer up an eleventh hour delay is not likely because it involves more than just the health care industry. 

 

To assist and get started, I offer the following suggestions broken down into three basic “buckets”. The first is the gap analysis or following the flow of information.  The second is the written documentation and the third is staff education.   The process we are required to follow is the same as it was for HIPAA. It is the information that is different.

 

To begin, most practices and health enterprises performed a gap analysis to comply with HIPAA.  The process was not long ago and this regulation encourages us to revisit that process in order to look for the “red flags” involving identity theft.  First, it would be a prudent idea to update any changes that may have occurred to the practice since the last gap analysis was performed for HIPAA.  Once updated, you then can include the criteria involving identities.  This will complete and close the circle so to speak about any individual the organization render care to.

 

However, I must warn you that the FTC is not stopping at identity theft as it relates to patients and business associates or vendors who are in contact with that information.  There is a small but very important paragraph which does not seems to be discussed well among the medical industry relative to the identities of others.  This paragraph can be found in the FTC brochure which I would be happy to provide by request. It is my opinion that this paragraph also includes the identities of our employees because we collect identity information for insurance, payroll, and taxes.

 

 

          The second kind of “covered account” is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

 

 

None of us are exempt from getting our CEOs, boards, and senior staff members committed to the project. Nor are we exempt from selecting a compliance officer to implement and over see the process or perform a gap analysis.  However the good news is that it was done previously under HIPAA and is useful for “Red Flag”.  In that way we maximize the time and effort invested without duplicating the process again. Instead we simply update and add identity criteria.  For most that will be an investment of hours rather than weeks or months, manpower you don’t have, or hiring attorneys and accountants again.

 

The second two “buckets” involved creating proper documentation and employee education.  Those two buckets were the bane of existence for HIPAA and are also for Red Flag as well.  There are many documents now being shared among list serves at no cost and you are welcome to use those but I suggest that you have an attorney or risk manager approve the use of them.  While many health organizations have similar infrastructures there are no two enterprises alike the same way there are no two sets of fingerprints alike.

 

In anticipation of the need to better fulfill the second and third “bucket”, an investigation was performed to see if a solution was viable or one had to be made.   An investigation was made out in and out of the medical industry simply because the FTC Red Flag Rule is not specific to health care but affects every industry. Therefore the possibility of finding a solution in another industry was very real.  To my delight I did.

 

I found a very reputable and notable organization that will provide Red Flag compliance which includes the proper documentation and employee education at no cost.  It is a viable solution that has already been tested and accepted by many medical organizations as a reasonable choice.  To learn more about how it works email me with your contact information including your telephone number. 

8:54 am est
Archive Newer | Older

Join Our Mailing List

By joining our mailing list, you will be the first to know about:

  • Breaking news about our business
  • Helpful tips
  • Exclusive special offers
In addition if you wish to make comment about our blog use the  comment box provided below.

 * required
 * required

We are proud members of Gotham City Networking, Askleslie.net, and MGMA
 

m2powerlogo.jpg

M2Power Inc  Phone: (516) 409-0849 Fax/Message Center: (888) 609-6828 Email: witsowitz@verizon.net