Guidance for psychologists on "Red Flag Rules" compliance

by Legal and Regulatory Affairs Staff

July 31, 2009 Update: The Red Flag Rules is now scheduled to take effect on November 1, 2009.

March 26, 2009 — The "Red Flag Rules" (Rule) from the Federal Trade Commission (FTC) takes effect on May 1, 2009. Some psychologists may need to comply with the rule, which is intended to reduce identity theft. This article and appendices offer guidance for practitioners.

"Red flags" is a term the FTC uses to refer to "potential patterns, practices or specific activities indicating the possibility of identity theft." Although the agency has stated that the Rule was designed primarily for financial institutions and other traditional creditors, the FTC announced last fall that that it would also apply the Rule to health care practitioners who are considered "creditors."

Health care practitioners are considered "creditors" if they:

Provide services and then bill patients later; or

Regularly allow their patients to defer payment for services — including by setting up payment plans — on a "regular" basis.

If you meet either of these criteria, the Rule will apply to you.

We contacted the FTC to determine how often a psychologist would have to permit delayed payment for that practice to be considered "regular" under the second situation noted above. Based on informal guidance from the agency, we recommend that you should expect that second situation applies to you unless you only let patients defer payment on a rare or sporadic occurrence, and when your normal payment policies do not provide for patients to defer payments. When these circumstances exist, the practice of extending credit probably would not be considered "regular." By contrast, if you allow your clients to delay payment more often than on a rare or sporadic basis, you should plan to comply with the Rule.

The FTC believes that the Rule is important in the health care industry because of the rising incidence of identity theft related to medical information. Medical identity theft involves using someone else's personally identifiable information — such as name, date of birth, social security number or insurance policy number — to bill for goods and services related to health care. These acts can seriously damage the victim's medical record and credit. They can also lead to inappropriate care if health care providers rely on the inaccurate information in the victim's medical record to make health care decisions.

Egregious examples of medical identity theft include a man receiving $350,000 in cardiac surgery services using a neighbor's identity. Another victim, whose identity was stolen by a person seeking to obtain surgery, discovered that the identity thief's medical information was commingled with her own when she found an incorrect notation of diabetes in her record.

What to do if the Rule applies to you

If the Red Flags Rule applies to you, you must develop and implement a written "identity theft prevention program" (Program) designed to identify, detect and respond to suspicious activities (Red Flags) that could indicate that identity theft is happening in your practice. As reiterated in new compliance guidance that the FTC issued (PDF, 21.4 MB) on March 23, 2009, the Program can be tailored to the size and risks of your practice. For solo or small group practices, the Program can consist of simple written policies.

To assist you with compliance, here is a Sample Red Flags Program designed for solo and small group practitioners and a Sample Business Associate Agreement. Practitioners in larger group practices or organizational settings should be guided by the organization's Red Flags policies.

Your Program should:

  • Include a policy governing how your practice will verify patient identity at the time of intake, specifying what documents will be used for identification and what information will be requested.

  • Have a policy stating that the staff person who takes the intake information should also be alert for conflicting information, for example, a discrepancy in indentifying information such as address or age.

  • Specify how you will respond if a Red Flag is detected. Responses may include contacting the patient if necessary, changing passwords to patient accounts or notifying law enforcement.

  • Provide for appropriately and effectively managing "service providers." These appear to be the equivalent of and serve the same purpose as "business associates" under the Health Insurance Portability and Accountability Act (HIPAA). (A "business associate" is an organization or person other than a member of the psychologist's workforce who receives patient information from the psychologist to provide services to, or on behalf of, the psychologist - for example, accountant, lawyer, billing service or collection agency.) Because the term "business associate" is more familiar to psychologists and better defined than "service providers," we use the former term. Attachment B to this article contains a sample program that you can add to your existing business associates contracts, if you have them, or that you can have your service providers sign as a standalone agreement.

  • Require that you review the Program annually to ensure its effectiveness.

An appendix to the FTC Rule gives examples of Red Flags that your practice may encounter, such as suspicious documents (for example, a driver's license that appears to be forged or tampered with) and questionable personal information (a changed address when the patient has made no mention of moving). We have incorporated into our Sample Program those red flags that we believe are most likely to apply to a solo or small group psychology practice.

Some practitioners may wonder whether complying with the HIPAA Security Rule will obviate compliance with the Red Flags Rule. The answer is "no." Following best security practices, such as those identified in the Security Rule for electronic patient information as well as in the 2007 APA Record Keeping Guidelines (PDF, 83 KB) should help to lower your risk of identity theft. But it will not preclude your having to comply with the Red Flags Rule.

The FTC is charged with enforcing the Red Flags Rule. Failure to comply may result in penalties of up to $2,500 per violation.

The APA Practice Organization will keep you informed as the FTC makes available additional guidance and information regarding the Rule and how they apply to psychologists.

For more information, contact the Legal and Regulatory Affairs Department by e-mail or (202) 336-5886.

Please note: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single article. In addition, laws change over time and vary by jurisdiction. The information in this article should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.

Attachments A and B are part of the .pdf document at the end of this article.

UPDATED July 31, 2009

Red Flag Rules.pdf  (90.43 Kb)