Red Flags Rule Compliance in Mental Health Practices
Posted by Ben Hicks, MLS, CMAA
With the enforcement of the Red Flags Rule almost 4 years ago, I am surprised how many people don’t know what I am talking about when I broach the subject. I think with fines of at least $2500.00 people should be more aware of this government regulation, if for no other reason than to know how it may affect their practice.
For those of you new to practice, or for those who missed this regulation because you were busy practicing, let me bring you up to date. The Federal Trade Commission instituted these rules at the end of 2010, to help creditors and lenders stop identity theft. A red flag refers to “potential patterns, practices or specific activities indicating the possibility of identity theft.”
So what does that have to do with your practice? Well, depending on how you do business, you may fall under this rule because clinicians are considered “creditors” if they:
- Provide services and then bill patients later; or
- Regularly allow their patients to defer payment for services, including by setting up payment plans, on a “regular” basis.
If the Red Flags Rule apply to you, you are required to develop and implement a written “identity theft prevention program” intended to identify, detect and respond to red flags that could denote that identity theft is happening in your practice.
Below are two helpful links. The first you can use to help put together an identity theft prevention program. It is an article which includes an identity theft prevention program template created by the American Psychological Association. The second link serves as an example of a statement of non-applicability of Red Flags Rule.
Guidance for Psychologists on “Red Flag Rules” Compliance
http://www.apapracticecentral.org/news/red-flag.pdf
Statement Regarding Non-Applicability of Red Flags Rule
http://valeriehoughton.com/valeriehoughton.com/Policies,_Tools_&_Forms_files/Red%20Flag%20Rule.pdf
The basics of a good identity theft prevention program include:
- A policy directing how your practice will verify patient identity at the time of intake (e.g. a government issued ID)
- A policy stating that when collecting intake information, the staff should also be alert for conflicting information (e.g. discrepancies in an address, age or signature)
- How you will respond if a Red Flag is detected (e.g. contacting the patient or notifying law enforcement)
- Require that you review the program annually to ensure its effectiveness.
Best Notes offers a number of great tools to help you with your identity theft prevention program including a place to add patient pictures, intake information and a copy of a photo ID. Security measures let you know who has logged in and accessed patient information. These measures come built into the software and help in the prevention of identity theft.
Please bear in mind that while I feel the provided references and information can be of a benefit to your practice, you must not rely on the information on this website as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.
Reference
http://www.business.ftc.gov/documents/bus23-fighting-identity-theft-red-flags-rule-how-guide-business