July 14, 2009 Feature

Private Practice and Identity Theft

Providers Who Allow Deferred Payment Must Comply with FTC Rules by January 1, 2011

Private-practice speech-language pathologists and audiologists who do not require patients to pay for their services in full at the time of service must implement a program to prevent identity theft by January 1, 2011.* 

Clinicians who allow deferred payment are categorized as "creditors" by the Federal Trade Commission (FTC), and must comply by January 1, 2011 with FTC "red flag" rules designed to prevent identity theft. Identity theft is fraud and in the context of medical care would include, for example, a patient using the name or insurance information of another person, which could result in false billing or corruption of medical records.

Creditor SLPs or audiologists must develop and implement a written program to detect, prevent, and mitigate identity theft. In developing this program, providers should take four steps:

  1. Identify relevant red flags in five FTC-recognized categories:
    • Alerts, notifications, or warnings from a consumer reporting agency
    • Suspicious documents
    • Suspicious personal identification information, such as a suspicious address
    • Unusual use of—or suspicious activity relating to—a covered account
    • Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
  2. Determine how to detect relevant red flags.
  3. Set up procedures to prevent and mitigate identity theft.
  4. Educate staff and keep the program current.

An example of a procedure that might comply with the rules would be to ask new patients for photo identification.

The program can be customized depending on the risk of identity theft. The FTC identifies certain factors—such as knowing patients personally and any previous experiences with identity theft—that would indicate a creditor's low risk of identity theft. Once a program is developed, it must be approved by senior management or the board of directors (in the case of large clinics or practices); someone (such as a senior employee) must be designated to administer the program; and staff must be trained to detect red flags.

Providers may want to seek legal advice when setting up a program. The FTC and the American Medical Association (AMA) also offer guidance for complying with the red flag rules. The FTC's overview of the rules and guide to help businesses create a program are available on the FTC Web site.

The FTC also sent a letter [PDF] to the AMA explaining why "creditors" include health care providers. The AMA has a sample policy available on their Web site[PDF].*

*Correction: This article contains a corrected Web link.

*Correction: The Federal Trade Commission's (FTC) deadline for health care providers to implement a prolicy to prevent identity theft has been postponed from June 1, 2010 (as previously indicated in this article) to January 1, 2011.

Kate Romanow, JD, director of health care regulatory advocacy, can be reached at kromanow@asha.org or 800-498-2071, ext. 5671.

cite as: Romanow, K. (2009, July 14). Private Practice and Identity Theft : Providers Who Allow Deferred Payment Must Comply with FTC Rules by January 1, 2011. The ASHA Leader.


Advertise With UsAdvertisement