Page, Wolfberg & Wirth, LLC

		ENewsletter		Signup		Search
Home About the Firm PWW Online Store EMS Law Library ABC3 PWW Events Speaking Engagements Billing and Coding Products HIPAA Products Compliance Documentation EMS Managers Proposed Rule Would Bring Negative Reimbursement Changes for the Ambulance Industry PWW Free Forms Library Links Ambulance Billing/Medicare Compliance EMTALA/Hospital Diversion Labor/Employment HIPAA/Patient Privacy Red Flag Rules Attorneys, Consultants and Staff Legal Services Consulting Services Presentations Keynote/General Sessions Disclaimer Our Privacy Policy MBI Solutions Space is Limited - Reserve your Webinar Seat Now! NEARLY SOLD OUT! PWW Executive Institute SOLD OUT - CAC LIVE ABC3 Fall 2010 Sessions Hotel Information - Fall Conference FAQs ABC3 Bash!Sponsor & Exhibitor Information ABC3 - Fall 2010 Dates

Red Flag Rules

FTC Announces Another Enforcement Delay

of the “Red Flag Rules”

Ambulance Services Now Have Until December 31, 2010 to Implement Identity Theft Prevention Programs

The Federal Trade Commission (FTC), in what is becoming a tiresome exercise in federal agency indecision, announced yet another delay in enforcement of the Red Flag Rules. As anticipated, the FTC announced on May 28, 2010 that is was again delaying enforcement of the Rules until December 31, 2010 instead of the previously-extended June 1, 2010 deadline. This means that ambulance services have additional time to put into place a workable identity theft prevention program, if they have not done so already.

To read the FTC’s Press Release, CLICK HERE.

When the Rules went into effect in November of 2007, the FTC took an unexpectedly broad stance regarding their application and stated that it intended the Rules to apply not only to financial institutions, but to all individuals that defer payment for services after they have been provided. This caught a number of industries by surprise --- including the health care industry --- and left health care providers scrambling to try to achieve compliance by the original enforcement deadline, November 1, 2008. Realizing that compliance by that date was unrealistic, the FTC subsequently delayed enforcement several times.

In the meantime, ambulance services should stay tuned for updates from the trusted industry experts at Page, Wolfberg & Wirth. We are closely monitoring developments and will continue to keep the industry informed of their obligations. We are pleased to see that many ambulance services have already taken steps to achieve Red Flag Rules compliance.

Hundreds of ambulance services throughout the country stand prepared for whatever enforcement deadline the FTC may finally settle upon, are you? We are proud to offer the industry the practical tools to meet your compliance obligations. The "Red Flag Rules Survival Kit" offers complete integration with the Ambulance Service Guide to HIPAA Compliance - all new policies can be seamlessly implemented along with your HIPAA policies.

CLICK HERE to read the Red Flag Rule. (PDF Format, 59 pages)

CLICK HERE for info on PWW's Red Flag Rules Survival Kit and Audio Recording

Background of the Red Flag Rules

On December 4, 2003, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added several new provisions to the Fair Credit Reporting Act (FCRA). The FACTA directed several government agencies to issue regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. On November 9, 2007, the FTC and other federal bank regulatory agencies issued joint regulations collectively referred to as the “Red Flag Rules”.

The Red Flag Rules require financial institutions and creditors to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with new and existing accounts. Under the November 9, 2007 joint regulations, organizations that are subject to the Rules are required to have Programs in place by November 1, 2008 (now delayed until November 1, 2009). While most financial institutions that are subject to the jurisdiction of the federal bank regulatory agencies must still comply with applicable regulations by November 1, 2008, the FTC has stated that it will delay enforcement action until December 31, 2010, though it is now starting to appear as if Congress may seek to narrow the scope of these Rules before they take effect.

Most ambulance services will meet the definition of a creditor under the Red Flag Rules and are therefore required to be in compliance the FTC’s regulations.

Why Ambulance Service are Covered Under the Red Flag Rules?

The Rules apply to organizations who meet the definition of a “creditor” that offers or maintains “covered accounts.” These terms are defined very broadly and most ambulance services are creditors with covered accounts under the definitions in the Red Flag Rules.

The Red Flag Rules define “creditor” to mean any person who regularly extends, renews, or continues credit. “Credit” means the right granted by a creditor to a debtor to defer payment of debt. Unfortunately, the FTC has not defined the term "regularly” so we are left with a very broad definition that could mean any organization that grants credit. The FTC stated in a recent June 2008 Business Alert, “[w]here [entities] defer payment for goods or services, they, too are to be considered creditors. Most creditors . . . come under the jurisdiction of the FTC.” Many ambulance services, offer patients deferred payment plans or installment payments and would therefore meet the definition of a “creditor” under the Red Flag Rules.

A "covered account" is defined as a continuing relationship between a person and a creditor in which the creditor maintains or offers the account for the purchase of goods or services for personal, family, household or business purposes, that either: (1) permits multiple payments or transactions; or (2) in which there is a reasonably foreseeable risk to customers or the creditor of identity theft. Any patient billing account that an ambulance service has established (itself or through its third party billing company) would likely be a “covered account” if the patient is permitted to make multiple payments on the account. Patient billing accounts could also fall under the second category of “covered accounts” because of the reasonably foreseeable risk that they would be affected by identity theft.

Elements of an Identity Theft Prevention Program

Because most ambulance services likely meet the definition of “creditor” and maintain “covered accounts,” ambulance services are required to establish reasonable processes and procedures to combat identity theft in connection with opening and maintaining the covered accounts, i.e., an Identify Theft Prevention Program. The Rules state that the Program must be written, and it must be appropriate to the size and complexity of the organization and the nature and scope of the organization’s activities.

The Program must include reasonable policies and procedures to: (1) identify relevant Red Flags, and incorporate those Red Flags into the program; (2) detect Red Flags that have been incorporated into the program; (3) respond appropriately to any Red Flags that are detected; and (4) ensure the program is updated periodically. Red Flag means “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”

Administration of an Identity Theft Prevention Program

The initial written Program established by an ambulance service must be formally approved by the service’s board of directors or an appropriate committee of the board. The ambulance service must also involve the board or an appropriate committee or designated employee to oversee the development, implementation, and administration of the Program. Administration of the program must include staff training to effectively implement the Program, and must also include oversight of relevant service provider arrangement.

An ambulance service must also periodically conduct risk assessments to determine whether it offers or maintains covered accounts. The risk assessment must take into consideration: (1) the methods that the service provides for opening accounts, (2) the methods the service provides to access its accounts, and (3) and the service’s previous experiences with identity theft.

In addition to the requirements above, the FTC published guidelines in an appendix to its regulations to assist organizations in the formation of their Red Flag programs. Ambulance services should be aware that the Program can be flexible and the FTC does not require any specific language, policies or procedures. Ambulance services need to comply with the basic requirements in the regulations and they have the ability to tailor the Program appropriately to the size and complexity of the organization. This means that while larger organizations may have to develop a distinct, comprehensive program in addition to other programs they have in place, smaller organizations may opt to incorporate the Program into existing policies and procedures. Each service will have to make an individual determination in accordance with the general requirements of the Red Flag Rules and take appropriate steps for compliance.

Red Flag Rules Bundle
$307.95

Red Flag Rules Webinar Recording
$208.95

Red Flag Rules Survival Kit For Ambulance Services
$119.00

Red Flag Rules Bundle

The Red Flag Rules Bundle is the easy and economical way to order all of PWW's Red Flag Rules resources and bring your ambulance service into compliance with these important regulations. The Red Flag Rules Bundle includes the Red Flag Rules Webinar Recording and the Red Flag Rules Survival Kit for Ambulance Services.

The Ambulance Billing and Coding Desktop Reference Guide

The Ambulance Billing and Coding Desktop Reference Guide is a convenient way to have all of the important procedure codes, modifiers, condition codes and transportation indicators necessary for proper ambulance billing at your fingertips.