December 2009

Red Flag Rules Delayed to June 1, 2010

A Polsinelli Shughart Health Care Update

Rules Require All Financial Institutions and Credit Providers to Adopt Identity Theft Policies

On October 30, 2009, the Federal Trade Commission (“FTC”) delayed the enforcement date of the “Red Flag Rules” for the third time - until June 1, 2010. The Red Flag Rules require the implementation of a written compliance program to provide for the identification and detection of, and response to patterns, practices, or specific activities (red flags), that could indicate identity theft. Despite the delays in the enforcement date, the compliance requirements have not changed. Therefore, Red Flag Rule compliance programs that were previously implemented in conjunction with the original requirements do not need to be updated or revised at this time.

Health Care Implications

In recent news, the House passed bill HR 3763 on October 20, 2009, which amends the Fair Credit Reporting Act to exclude any health care, accounting or legal practice with 20 or fewer employees from the meaning of “creditor” subject to the Red Flag Rules. The bill includes exceptions for other entities if the entities meet certain requirements established by the FTC. Thus far, the Senate has not voted on the bill. On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flag Rules to attorneys. At this time, it is unclear if any other professional will be “exempt” from complying with the Red Flag Rules.

The Red Flag Rules require written compliance policies and procedures approved by the governing board of the health care provider to identify red flags that may indicate a patient’s identity has been stolen. Potential examples of red flags of the health care provider may include:

• Insurance ID cards that appear tampered with or a patient who cannot produce a card
• Identification that does not match the physical appearance of a patient • Inconsistent signatures
• Discrepancies between information provided by the patient and insurance information
• No correlation between SSN range and DOB
• Invalid phone number or use of pager or answering service
• Frequent change of address or use of P.O. box, or request for new services shortly after change of address
• Mail that is returned repeatedly
• Complaints from patients based on receipt of a bill for another person, bill for a service not received, bill from a provider who was never seen, or unfamiliar explanation of benefits (“EOB”)
• Records showing treatment inconsistent with history and physical
• Denials due to depleted insurance benefits or lifetime cap reached
• Dispute of bill by patient claiming to be victim of identity theft

If red flags are identified, the policies and procedures must also outline a method to respond to the potential identity theft. Staff should receive regular training on the Red Flag Rules compliance program, and the program must be periodically reviewed and updated to reflect new guidance and changes in risk.

For more information:

Health Care:

• Carey Gehl Supple – cgehlsupple@polsinelli.com | 816.395.0692

Corporate:

• Jeb Bayer – jbayer@polsinelli.com | 816.374.0555

About Polsinelli Shughart PC

With more than 470 attorneys, Polsinelli Shughart PC is a national law firm that is a recognized leader in the areas of business litigation, financial services, bankruptcy, real estate, business law, labor and employment, construction, life sciences and health care. Serving corporate, institutional and individual clients regionally, nationally and worldwide, Polsinelli Shughart is known for successfully applying forward-thinking strategies for both straightforward and complex legal matters. The firm can be found online at www.polsinelli.com.