An article at TechRepublic talks about the liability around copy machines.  The article states that most copy machines made since 2002 have a hard drive built into them.  The hard drive stores a copy of every document the machine scans, prints, copies, or faxes.  This has major implications if you are a medical practice.  All the information concerning patients that you printed, copied or faxed could be sitting on the copy machine.  Many large multipurpose copy machines are leased and at the end of the lease companies turn the machine in for a newer model.

The article gives an example of just how much of a liability copy machines can be:

But despite the sensitivity of the information discovered on the first three machines, it was the information on the fourth machine that they found what Keteyian called the “most disturbing documents.” The machine, once used by Affinity Health Plan, a New York insurance company, contained “300 pages of individual medical records.”  These records included “everything from drug prescriptions, to blood test results, to a cancer diagnosis.”

The take-away from this is that copy machines need to be treated just like computers, USB drives, and smartphones.  Before disposing of any device that contains electronic protected health information (EPHI), care must be given to ensure that the EPHI is properly removed.  Copy machines would fall under the same HIPAA Policy and Procedure you have for disposal of EPHI.

HIPAA Security Rule

164.310 – Physical safeguards

(d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

There is a story over at FierceHealthIT that summarizes a healthcare security study commissioned by Kroll Fraud Solutions, Nashville, Tenn.  The study concluded that healthcare organizations take security seriously but may have a false sense of how secure thier organization really is.

Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology–stolen laptops and back-up tapes, as well as improper document disposal.

 

The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks–an average of 6 on a scale of 1 to 7–for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission’s “Red Flags” rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.

The first steps to ensuring that your practice is secure it taking security seriously. It is important to write security policies and procedures. But security is not about going down a list of to-do items and checking each one off. Security is about ingraining best practices into your everyday workflow. Unfortunately security at times gets in the way of how we normally perform our jobs. Security requires a few extra steps at times. You might have to encrypt the file that you are working on before copying it to a USB drive or you may have to send a patient an encrypted email rather than just a standard email. Each one of these actions required a few extra steps but you made sure that the data was secure and protected. 

Security also cost money. There is no way around it. In order to ensure that your data is protected and secure and especially to comply with the HIPAA Security Rule, you have to invest in security technology. Patients want to communicate more and more by email, you will have to eventually invest in email encryption to safely and securely communicate with patients. Data is more and more portable and you have to put in the proper technology to protect it. Portable data can be on laptops, tablets, USB drives, smartphones, etc. Each one of these devices can leave your office and could potentially be lost or stolen. Implementing encryption technology is essential to protecting the data. Unfortunately you may have to implement one or more encryption technologies that are appropriate for each device. 

Security cost money in ways you may not think about. Proper security requires that employees have unique user ids and passwords and only have access to the information that they have been granted access. But how do you know if someone is trying to access information that they are not allowed to access? How do you know if someone has hacked through your firewall and is accessing your EMR? Your servers should be setup to log important events that occur on them such as logons, logoffs, invalid password attempts, successful data access, unsuccessfully data access, etc. These server log files can become huge and there is so much information that it is almost impossible to understand what is happening on the servers. You will either have to invest in technology that goes through the server logs and notifies you if some security event is occurring or you will have to invest in an outside IT company to monitor your log files. Either way it is probably not an expense that you have considered. 

Computer networks are constantly changing. There are new programs being added, program updates being applied and security patches being downloaded and applied. Every change to the network has the potential of opening up a hole that someone could find and exploit to access your data. A security best practice is to periodically have a network penetration and vulnerability scan performed on your network. These scans are usually done by outside IT consultants that are very familiar with network security. The network penetration scan tries to access your network from outside of your office. This could be through the Internet, phone lines, wireless access points, etc. The scan looks for holes in your network security that someone could access. The holes could be created by an improperly configured firewall or by having unnecessary services running on the network that could be accessed. Without the network penetration test you would probably have no idea that these security holes existed. The network vulnerability scan looks for security holes on your internal network. Vulnerabilities could be identified by your vendors such as Microsoft or your EMR vendor. The vendors put out security patches that address the security vulnerabilities. A vulnerability scan will check to make sure that the appropriate security patches for your network have been applied. The end result of both the network penetration and vulnerability scan should be a comprehensive report on any issues that have been identified and the recommended steps to address the issues. 

The other big piece of security is training your staff to perform their job functions in a safe and secure manner that protects patient data. It is important to go over the polices and procedures with employees but it is even more important for them to understand the benefits of security. When you start implementing better network security your will be making changes that will directly affect your employees. They need to understand why passwords need to be 8 characters and changed every 60 days (for example). They need to understand why data must be encrypted if it is leaving your network. The good news is that employees already understand security. They understand the need for safe transactions when they are buying something from amazon.com. Training should take what they already understand and apply it to patient information. The bad news is that network security means change. Many employees don’t like change and they like doing things they way they are used to. 

As you can see, security is a challenge for any medical practice. It requires a few extra steps to perform a job function in a secure manner. Security has costs that are both obvious and are hidden. Security means change and change can have a direct impact on your staff. The purpose of this article was not to scare you away from security but to shed some light on what you will be getting into as you implement better network security that protects your patients’ data.

The American Medical Association (AMA) has published an excellent resource on data encryption.  The publication is called HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.  I urge you to read the whole document but I will point out a few of the important sections.

1. I manage a small practice. Why should I care about the changes to the HIPAA Security Rule?

Perhaps the most significant of the changes to the HIPAA Security Rule is the requirement for HIPAA-covered entities and their business associates to provide notification in the event of a breach of “unsecured protected health information [PHI].”  This means, for example, that if a hacker were able to gain access to a physician practice’s computer system that contained patient information, the physician practice would have to inform all patients and the Department of Health and Human Services (HHS) of the breach. In some cases, the physician practice would also need to notify the media. The one and only exception to this new requirement is encryption technology: If the electronic PHI (or ePHI) is stored and transmitted in encrypted form, then you do not need to notify patients, even if there is a security breach.

The last line if very important.  If data is encrypted and there is a security breach there is no need to notify patients.  For example, if a laptop with a lot of patient data, financials, SSN, progress notes, etc. is lost but the laptop was encrypted there is no need to notify patients that the data was lost.  Basically encryption is a “get out of jail free card”.

The documents goes on the explain what encryption is,  how encryption works, and describes the use of keys to encrypt the data.

Other good questions that are discussed:

7. Which types of data can be encrypted?

Any kind of data can be encrypted. You can encrypt plain text files, PDF documents, spreadsheets, images and any other form of information in your computer. You can even encrypt database information and information on back-up media.

 8. Which data should a physician practice typically encrypt?

You should encrypt any systems and individual files containing ePHI. Data you should encrypt includes your practice management system; electronic medical records; documents containing ePHI, such as claims payment appeals; scanned images, such as copies of remittance advices; e-mails containing ePHI; and ePHI that you transmit, such as the claims sent to a clearinghouse.

9. Do e-mails containing ePHI have to be encrypted?

Yes, e-mails containing ePHI must be encrypted. E-mail is not like mailing a sealed letter or package. It is more like sending a postcard. People are not supposed to read it while it is in transit, but it passes through many hands, and one can never be sure that someone is not reading it illegally. Fortunately, there are many tools available for encrypting e-mail.

 10. Does ePHI that is accessed via the Internet need to be encrypted?

Yes, data that is published on the Internet is available to the public. The only way to protect health information that is made available on a Web site is to use a technology known as “secure sockets layer” (SSL). You are probably already using this encryption method, whether you are aware of it or  not. Any Web site that has a URL (i.e., an Internet address) beginning with “https” is using SSL or a similar encryption method. When you are on these Web sites, you may notice a small padlock icon on your browser. Double-clicking this icon usually gives you more information about how that browsing session is protected.

12. How can I encrypt the data on my computers?

You have several choices. There are built-in encryption programs, such as Microsoft® Encrypting File System (EFS), which you can use simply by changing the properties of the folder in which the sensitive data is kept (if you use a computer with Microsoft Windows®). Most of the popular data base technologies, such as Microsoft SQLServer®, MySQL®, Oracle® and Sybase®, include an encryption option you can use. There are also several encryption products, such as Pretty Good Privacy® (PGP®), that  you can purchase and install on your computer.

13. Is encryption expensive?

Encryption can be expensive, but it doesn’t have to be. Some encryption programs are available at no cost. Microsoft EFS, for example, is shipped as part of  the Windows operating system . Microsoft also provides whole-disk encryption on Windows 7 systems with a program called BitLocker™ Drive Encryption. Other programs, such as TrueCrypt®, may be downloaded and installed for free. At the other extreme, encryption devices known as hardware security modules (HSMs) can be quite expensive. The choice you make depends on many factors, including encryption strength, speed, available technical support and ease of use.

Other questions discuss encryption technologies, further discussion on encryption keys, loss of encryption keys and the size of encryption keys.

Finally they go into detail about the steps you need to take to begin using encryption and exactly what data should be encrypted.

Again I urge you to read the document in its entirety.  It is a very good resource on educating yourself about data encryption.  Remember if you encrypt your data it is one less thing you need to worry about.

My clients love sending screenshots and my staff equally enjoys receiving them.  A screenshot is a great way to capture the contents of an application error message or to show the state of an application when some unexpected result occurs. From a support point of view my staff gets to see the exact error message a client is receiving.  You can’t imagine how many times they hear “a box popped up and said something like unexpected error or something”.  So getting a screenshot makes troubleshooting problems a lot easier.  

Our helpdesk application is a SSL secure website which encrypts all information that is entered or uploaded. When clients upload screenshots I do not worry because I know the information is secure and encrypted. I have to admit that some clients are more screenshot crazy then others. They send screenshots of everything. 

By now you are probably asking yourself why am I going on about screenshots?  Although screenshots make providing support easier they can also be a liability. A screenshot of Microsoft Word captured while someone is revising the text of a Privacy notice is no big deal. But a screenshot out of an EMR while in a patient record could lead to a security violation.  The screenshot might have a patent’s demographic information and financial information or procedure codes from the patient’s last visit.

Screenshots are so easy to capture and send, your employees could easily email a screenshot to a vendor with no encryption.  One could argue that it is not as easy to get the patient information from the screenshot image sent unencrypted but I believe that all electronic patient information sent via email HAS to be encrypted. 

If your practice sends screenshots to vendors to help with support issues, there are a few ways to handle the security issue.

1. Make sure you educate your staff on the potential security risk that sending a screenshot could present.
2. Make a policy that explicitly says that no screenshots are permitted that contain patient information.
3. Implement on demand email encryption and require that all screenshots that are sent are marked as secure and sent encrypted.   Products such as ZixCorp and Voltage email encryption are both relatively easy to setup and are fairly inexpensive.
4. Setup TLS email encryption between your email server and your vendors’ email servers. This will ensure that all communication between your practice and your vendors are encrypted. Furthermore, require that all Business Associates setup TLS email encryption with your email server. While that may be possible with larger vendors, you might find that smaller vendors do not have the ability or skill set to implement TLS.

Whichever steps you take make sure your staff uses caution when sending any screenshot.

There is a lot of talk surrounding HIPAA security especially as more and more practices implement EMRs.  I have attempted to shed some light on the steps you need to perform to ensure your network and patient information are protected.  So when I read a story in the Vancouver Sun, I figured I would point out how NOT to implement security.  This is a classic example of a how a medical institution totally ignored security.

The Vancouver Sun sheds light on the lax security at the Vancouver Coastal Health Authority.  Here are some highlights (low-lights) of the story.

“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”

“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”

“Almost all users have some access to confidential information about all clients in the database. Many clients’ full health information is accessible to a large number of users. Team memberships are not up to date, meaning that many unauthorized users could have access to client records that they should not have.”

“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”

Those are some pretty serious security risks.  Basically they had no way of knowing if someone hacked into their network or what they may have accessed.  Almost all users had access to the EMR no matter what their job function.  They never disabled user accounts after employees or contractors stopped working.  In addition, the terminated employees or contractors still had remote access to the network and could still access patient information even after they stopped working for Vancouver Coastal.

The security was so weak that the auditor of the Vancouver Coastal network delayed publishing his report for 6 months to give Vancouver Coastal time to correct the security problems.  In all, the auditor made 127 recommendations for changes to the security procedures.

So if you are thinking about implementing the correct procedures to ensure that your network is secure; make sure you don’t follow Vancouver Coastal’s methodologies!

Today USB drives (also known as flash drives and thumb drives), are common place.  They can store a lot of data, they are cheap and very easily transported.  A 2GB flash drive can be bought for $7.00 or less.  These drives give you the ability to carry documents, spreadsheets, pdf files and other data from one computer to another.  Unfortunately along with convenience comes security risks. 

An employee working on a document could copy it to a flash drive, bring it home and make modifications to the document.  The employee could then copy the document back to the flash drive and bring it to work in the morning and copy the revised document back to their computer or network drive.  Just as easy as it is to copy a document; an employee may copy a series of reports extracted out of an EMR,  a spreadsheet with a list of patient’s financial information, or a schedule of patients and demographics for the next week.   The employee may have all the best intentions of working on the information at home.  Now suppose that the employee misplaces the flash drive on the way home.  In addition, the data on USB drives are usually not encrypted.  The size of a flash drive is about the size of a house key and some drives attach right to a key chain.  We have all lost or misplaced keys and losing a flash drive is equally likely.  If the employee loses the flash drive then a practice is looking at a HIPAA security breach.  Along with the security breach may come fines, the cost and expense of breach notifications and the negative press that a practice may incur. 

Another security risk that may occur centers around viruses and spyware / malware.  The employee may bring home data to work on at night.  The employee’s home computer may be infected with a virus or have malware loaded on it.  When the employee saves the modified data it may also transfer a virus or malware back to the flash drive. The virus can then be transferred to a practice’s network when it is copied to the employee’s computer or network drive.

One way to prevent these type of security risks is to create a policy that prohibits the use of USB drives.  Unfortunately a USB drive is so small and easily concealed that an employee may ignore the policy.  Employees may ignore the policy not because they are intentionally stealing data but simply to bring work home in an effort to “catch-up” or finish a task. 

According to an article by Ars Technica, the National Security Agency (NSA) has developed a tool that will detect USB drives on internal computer networks. 

Although having strong IT security policies can help reduce the risks, it’s not always easy to enforce such policies. The NSA built a tool, called USBDetect, that is designed to help government agencies track the usage of USB storage devices on their internal networks. The tool is not publicly available, but is briefly described in a section of the NSA’s 2011 budget proposal, which was highlighted yesterday by NextGov defense technology blogger Bob Brewin.

“A Computer Network Defense Tool developed by NSA, USBDetect 3.0, is available to U.S. Government (USG) users free of charge. USBDetect gathers data (locally or on a network) from personal computers running Microsoft Windows 2000 or later operating systems, and reports unauthorized usage of Universal Serial Bus (USB) thumb (a.k.a. flash) drives, external hard drives, compact disk drives, and other storage devices,” the budget proposal says. “The USBDetect tool provides USG network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks.”

As noted in the article the NSA tool is only available to government agencies and not commercially available.

There are commercial programs that will disable the use of USB drives.  The program makes a USB drive inaccessible and therefore prevents data from being copied to and from the USB drive.  Unfortunately this adds administrative overhead because some employees have legitimate needs to use USB drives including copying non-patient information data, presentations, etc. 

The purpose of this post is to highlight the security risks associated with USB drives.  The need for policies preventing the copying of patient information are required.  In addition there is a need for employee training and alerts to potential dangers associated with USB drives.  There are technologies that can help guard against the security risks but they present a different set of issues and administrative overhead.

There is an interesting article in the Wall Street Journal Health Blog.  The article is based on a study from the California HealthCare Foundation.  In the study it showed that patients were concerned about privacy of their medical records:

Privacy concerns still hover around EMRs, with 68% of survey respondents reporting some degree of worry about what happens to their personal information once it’s stored in a doctor’s computer.

Note:  35% responded that they were very concerned and 33% responded that they were somewhat concerned.

15% of the 1,849 adults surveyed said they’d conceal information from a physician if “the doctor had an electronic medical record system” that could share that info with other groups. Another 33% would “consider hiding information.”

Note: The question made it clear that personal information including name, address, and other personal information would NOT be shared.

It is clear from the survey that there is still a long way to go before patients are comfortable with electronic records.

Every medical practice faces a similar issue; getting paid for services performed for patients.  Some practices have made medical billing a core component of their business.  They have a group of medical billers who are usually heads down, medical billing specialist.  The group manages the entire billing process and watches the accounts receivable like a hawk.  Other practices want no part of having the medical billing function in house and are happy to outsource it to a company that specializes in medical billing.  The questions to be asked; is there a right or wrong decision to be made and how do you make the decision?

Chris Thorman over at Software Advice gives a very good analysis of the costs to an typical 3 physician practice.  He compares the cost of in-house vs outsourcing medical billing.  Here is an overview of his cost analysis:

Cost Analysis
For many practices, the outsourcing decision boils down to one factor: cost.

To help compare the costs of in-house billing versus outsourced billing, we’ve created a hypothetical, three-physician practice. To arrive at these numbers, we’ve used what we believe to be industry averages. Here are the characteristics of this practice:

Three primary care physicians;

Two medical billing specialists;

80 insurance claims filed per day (~20,000 per year);

$125 billed per claim on average (~$2,500,000 per year); and,

We assume that the billing service has a high collection rate on claims.

So, how much does each billing approach cost? Take a look at the annual costs:

	In-House	Outsourced
Billing department costs	$118,000	$4,000
Software and hardware costs	$7,500	$500
Direct claim processing costs	$3,600	$122,500
Software and hardware costs	$5,500	$2,000
% of billings collected	60%	70%
Collections	$1,370,900	$1,623,000
Collections costs	$129,100	$127,000
Collections, net of costs	$1,241,800	$1,496,000

Chris goes on to justify this cost analysis by discussing the cost assumptions.  Click here for the complete analysis.  Based on Chris’ analysis he determined that collections would be higher for the the practice if they choose to outsource the medical billing function.

Today, companies and medical practices have the ability to outsource many functions that are required to run the business.  You can outsource your payroll, human resources, computer support, etc.  In each decision to outsource you have to ask yourself the questions; is this function core to my business and can I do a better job at it than outsourcing to a company that specializes in this function? 

I have seen practices that are really good at medical billing.  They have made billing a core function of the practice and have gotten the function to a well greased machine.  I have also seen practices with constant turnover in the medical billing department and have heard about the pain associated with the turnover. 

My advice is to make sure you know what you are getting into.  If you choose to keep medical billing in-house then you need to understand the costs, hardware/software/network dependencies, training requirements and staffing requirements.  If you choose to outsource you need to understand the costs, the functions your staff will still have to perform, the service level and the agreed upon expectations you have of the medical billing company.

Do you have a success or horror story related to medical billing?  Are there other factors that need to be considered when making the decision?  Feel free to share your thoughts.

This is the third part in an on-going series about the HIPAA Security Rule. So far I have discussed the following:

• Security Rule Overview
• Security Rule Principles

As I mentioned previously, the Security Rule is broken into three main parts; the administrative, physical and technical safeguards. We will now dive into the administrative safeguards.

The administrative safeguards make up 50% of the Security Rule. So if you implement the administrative safeguards you are half way done! Below is a list of the Standards, Sections and Implementation specifications.

I am going to take the rest of this article to discuss just the Security Management Process and more specifically the Risk Analysis and Risk Management implementation specifications. I believe the whole foundation of the HIPAA Security Rule is based on the Risk Analysis and Risk Management implementation specifics.

Keeping in mind that the principle behind HIPAA is protecting patient information, it is important to determine where patient information resides and determine what risks could potentially prevent you from protecting the information. Once you determine where the patient information resides and what the risks to protecting it are, you can then put in place procedures that will reduce these risks and strengthen your ability to protect the information.

To further illustrate the point, let’s apply the Security Management process to your house. Your house protects you and your family as well as your possessions; let’s call all of these your valuables. In order to protect your valuables you need to know the inventory of your valuables. While you probably won’t forget your spouse and kids, you may not remember the gold watch tucked away in your dresser drawer. So the first step should be to write down all of your valuables. Once you have a complete inventory of your valuables you need to determine the importance of them to you. Let’s break the importance into three categories; high, medium and low. Most likely your family ranks at the top of your importance list and would fall into the high importance category. The gold watch may have a significant financial value or may be a gift from someone making it important but not nearly as important as your family. Let’s put the gold watch into the medium category. Your mailbox may be on the list but of very little importance. If anything were to happen to your mailbox you can easily replace it with minimal financial impact so we will put that in the low category. So now you have a complete list of all your valuables and you have assigned an importance category to each of them. The next step is to determine the potential threats to your valuables.

No matter where you live the threat of crime always exists. If you live in a low crime area the threat may be lower but conversely if you live in a high crime area the threat could be very real. Once again we will break each threat into a category of high, medium or low. A flood is another threat to your valuables. If you live by a river or lake the threat of a flood could be high. A hurricane could be another threat but if you live in Kansas the threat is probably very low. At the end of this process you have a list of all potential threats to your valuables as well as the likeliness of the threat occurring.

Now you take the list of your valuables that are categorized by their value to you and you take the threats and their likeliness of occurring and you have identified where you need to focus your attention. If your family is of high value and the threat of crime is high, you will spend a lot of attention on securing your house. This could entail adding additional locks to your doors or installing a security system. On the other hand, your mailbox is of low value so you may choose not to worry about adding any addition security other than securing it to a mailbox post. Your home security management process is complete when you go through the list of your valuables and have implemented steps to protect them from the potential medium and high threats.

The process of protecting your valuables is the exact process that the Security Rule calls for in regard to protecting EPHI. Determine where your EPHI resides. Like the home illustration, you probably won’t forget your EMR (i.e. family) but EPHI may reside in email or digital x-rays on a network share (i.e. the gold watch). Make sure you have a complete list of all your EPHI and write it down. Categorize the importance of the EPHI. As a rule of thumb I like to say that the more EPHI you have in a system and the more people that access the EPHI, the higher the importance of the system (high category). The lower the EPHI and the less amount of people accessing the system the lower the importance of the system (low category). Another rule of thumb, if the system contains very important or highly confidential information then the system would fall into the high category. Conversely, if the system is encrypted or requires special software to access the EPHI then this would lower the category of the system. Next step is to identify the threats to your EPHI and categorize the likeliness of the threat occurring.

The loss of EPHI is always something to be concerned about (high category). In addition fire, flood or a natural disaster are other threats to consider. Once again each of these threats need to be categorized with the likeliness of the threat occurring.

The final Security Management step is to implement procedures to protect your EPHI against the medium or high potential threats. Let’s look at a few threats and some steps to strengthen your ability to protect your EPHI:

What you will notice is that after the Security Management process, the rest of the Security Rule is all about minimizing the potential risks to your EPHI. Each of the Steps to prevent threat listed in the above table is a specific Standards and/or Implementation Specifics in either the Administrative, Physical or Technical safeguards of the Security Rule.

In future posts, I will go over the rest of the administrative safeguards as well as discuss the physical and technical safeguards.

I am amazed that medical practices still have the time to see and treat patients.  Between complying with the HIPAA Privacy and Security Rules, implementing EMRs, working on stimulus reimbursements, checking for patient pre-authorization,  battling insurance companies over reimbursement rates and the whole medical billing process; it is amazing that there is time left to treat patients.  So with that said let’s look forward to June 1, 2010 when medical practices have to worry about the Federal Trade Commission’s (FTC) Red Flag Rule.

According to the American Medical Association (AMA) the Red Flag rule has been delayed many times before.

In Nov. 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. Originally scheduled for a Nov. 1, 2008 compliance date, the FTC has now delayed the enforcement date of the Red Flags Rule until June 1, 2010. The new compliance date of June 1, 2010, which follows three earlier extensions to May 1, August 1 and then later to Nov. 1, is a result of continued advocacy by the AMA and others who continue to object to the applicability of this Rule to health care providers and other professionals.

In an AMA editorial on March 15, 2010 they argue that the FTC is improperly applying rules, that are normally enforced on the banking industry, to medical practices.

As of June 1, physician practices are supposed to have written identity-theft and detection programs in place to satisfy what is commonly known as the red flags rule. The FTC aimed the regulation at what it referred to as “creditors,” meaning, generally, banks and credit-card companies, to protect consumers’ account information from being misused.

Only months before the original Oct. 1, 2008, deadline for compliance, the FTC said physicians must comply with the red flags rule because, by virtue of billing and collecting payments only after services were completed, they also were “creditors.” This, despite the FTC’s final rule, in June 2008, making no mention of physicians, and only a single reference to medical identity theft.

The claims payment process is not a deferral process, a way to extend credit to patients. Instead, it simply reflects the realities under which doctors have legal, ethical and contractual obligations under federal and state laws that govern insurance relationships. Generally, a physician is barred from requiring that certain payment conditions be met upfront before treatment. So does the FTC think physicians can, and should, demand money upfront so they are no longer considered creditors?

It looks like the AMA will continue to push back on the FTC but for now June 1, 2010 is the date to start implementing procedures to comply with the Red Flag rule.  The AMA has published a sample policy that can be customized to your practice.  So add another policy, procedure and government regulation to the list of things to worry about.