Rule raises a red flag: long-term care facilities on guard against new law

Share this content:
Tish Erdmann, Ph. D.
Tish Erdmann, Ph. D.
Hungry plaintiff's attorneys and federal agency officials could cause big problems for providers when a new federal rule kicks in May 1.

On May 1, it is likely that more than half of the long-term care facilities in the United States will be in violation of a new federal rule.

The rule originates from a new enforcer to health care providers: the Federal Trade Commission.

One of the difficulties in this unprecedented relationship is communication. The FTC views its role as one of enforcement, not guidance. If you look at our relationship with the Centers for Medicare & Medicaid Services, it is based on an enforcement model as well—but in an environment rich with guidelines. The FTC is introducing the so-called Red Flags Rules into the healthcare industry without letters to facilities or guidelines.

CMS may be tough, but at least we share the same medical background. The FTC, on the other hand, does not claim any knowledge in healthcare. They do, however, provide us with 16 CFR 681 in the Federal Register.

A look at a troubling rule

After combing through 60 pages of regulations with special emphasis on the last four, a look at the final rule reveals the need to help Uncle Sam tighten the screws on identity theft. Not a bad cause. This amendment to the FACT (Fair and Accurate Credit Transactions) Act is often referred to as the Red Flags Rules. Created in response to a crippling rise in identity theft and medical fraud, the heart of this legislation lies in detecting identity theft long before the customer ever realizes it has happened. It also deals with developing strategies to prevent the loss of secured information as well as procedures for mitigation once identified.

The law applies to most but not all providers, so how can you tell the difference?

The Red Flags Rules address any facility that provides a service and then bills for the service (deemed a creditor). Under government reimbursement programs such as Medicaid or Medicare, the actual amount billed to the government programs does not count. However, it is not yet time to celebrate. The incidentals billed to the patient still qualify. All private pay and insurance falls under these rules as well. Typically, these bills are sent to a household and are set up for multiple payments.

If it looks like so many facilities will not be in compliance by May 1, what's the big deal?

The FTC would give you two answers to that question. The first, with a quickly melting smile, would be, “It is the right thing to do.” I could not agree more. Protecting patients from identity theft is indeed an honorable and necessary responsibility.

The second, with an absolute, no-nonsense strong enforcement tone, would be, “You will be in violation of a federal rule.” This is not a particularly fun place to be if you should stumble across a civil suit. The bottom line is it is highly unlikely that someone will be at your door on May 2 asking for evidence of your program. There is a much stronger likelihood that in the next five to eight years you will be asked to present your program. It may be in a courtroom or possibly an audit.

One thing is for sure: The examiner will look at the program from May 1, 2009, to the present day to look and see if reasonable measures have been taken to prevent, detect and mitigate identity theft. It stands to reason that a good faith effort will fare better in court than, “I didn't know, your honor.”

The most common mistake

Providers must avoid the most common mistake: The law requires a program, not just a document. The approach some providers have taken to meeting this requirement is to use a fill-in-the blank document that can be signed and placed in a file. The law, however, clearly asks for an identity-theft prevention program. The difference is vital in both program effectiveness and showing good faith.  The program outline in the legislation contains the following components:

• A privacy committee is established and headed by a privacy officer.  Members may be chosen from pharmacy, administration, nursing, admissions, etc.;

• Needs assessment: The committee takes a look at the flow of secured information from admissions to the provision of service. Authenticating transactions on existing accounts is outlined and reviewed, as well. An analysis of vulnerabilities is conducted and assessed;

• Policies and procedures are developed;

• Reporting mechanisms are formed; and

• Employees are trained.

Oversight of the program is to be provided by a board of directors or member of senior management.

No I.D. theft problems

Unfortunately, you are not always aware of this crime.  Your patients may have their identity stolen by short term employees who are just a small link in a big chain of identity thief criminals. A nursing assistant who was employed and left after three weeks might have been part of a ring based at a local university. That ring sells secured information on the Internet and now the data are open to the world.

According to a retailer in London, the patient in 107 is actually buying a $2,000 leather coat with a newly fabricated debit card. The other side of identity theft we need to guard against is medical fraud. A portion of fraud could be prevented by careful validation of identification upon admission. Care in investing address discrepancies is included in the legislation.

The FTC might not have made it easy to implement the Red Flags Rules in the long-term care industry, but its directors do have a very clear mindset: They work for the individual consumer.

If you are the victim of identity theft under their watch, the new system is geared to spring into action. As a consumer, your identity is safer.  As healthcare facilities roll under red flags, so do banks, credit card companies, automobile dealerships, utilities, etc.

Turn lemons into lemonade

Guarding patient secured information is the right thing to do. It creates a safe haven. Working on your identity theft prevention plan can provide opportunities to reach out to referrals sources to share information. Hospitals, physicians' offices and others are also being held accountable to this law. Once you have written your own plan, you can offer to help others.

Templates for completing the identity theft prevention program are available by writing to


The author has worked for over 20 years in middle and senior corporate healthcare management.