Red Flag Rules - Lawyers Association Says They Don't Apply to Us

Yesterday, the American Bar Association filed a Complaint alleging that the Federal Trade Commission's proposed application of the Red Flag Rules to lawyers was arbitrary and capricious and seeking an injunction to block the Rule's application to legal professionals.  The FTC has included lawyers, doctors and other professionals in its definition of "creditors" under the Rules.

The ABA argues that the FTC failed to "articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under FACTA; or any legally supportable basis for application of the Red Flag Rule to lawyers engaged in the practice of law."

These arguments could be analogized to healthcare providers who are seeking to avoid application of the Rules.  No word from the AOA or AMA yet on whether they too will join in on the legal action, which follows an announcement by the FAH criticizing the Red Flag Rules.

Federation of American Hospitals and "Meaningful Use"

The Federation of American Hospitals ("FAH") has come out publicly against the HIT Policy Committee's proposed standards for "meaningful use" which is required for a healthcare provider to be eligible for HITECH Act incentives for Electronic Health Record adoption and implementation.  In the letter to HHS, FAH says the HIT Policy Committee:

 has made recommendations that go beyond the submission of data that contemplate particular standards or goals that eventually must be achieved” for a provider to qualify as a “meaningful user” of an EHR under the law and thus be eligible for subsidy payments. The letter says—based on the advice of “outside legal counsel” —HHS would exceed its authority if it requires providers to meet quality targets as part of the meaningful-use criteria.

For further information, check out Modern Healthcare.

On the face of the statute, there is some basis for FAH's argument.  The Act does not specify quality improvement measures as a component of what constitutes a "meaningful user" and common usage of that term would not seem to support the HIT Policy Committee's interpretation.  However, the underlying basis for the adoption and implementation of EHRs is to increase quality of care and reduce inefficiencies.  It remains to be seen whether that basis is accepted as true or whether the data gleaned from meaningful users will lend further support for that proposition.

Red Flag Rules

My good friend Becky Williams and I were recently quoted in BNA's Health Law Reporter on the FTC's Red Flag Rules:

Detecting Red Flags

To detect red flags, which are defined as patterns, practices, or specific activities indicating possible existence of identity theft, Gerald DeLoss, of Krieg Devault LLP, Chicago, said health care providers must develop processes to authenticate patients, such as requiring patients to present identification, retaining pictures of patients, monitoring transactions, and verifying change-of-address requests.

Verifying change-of-address requests is particularly important when such a request is made soon after initial services have been sought, DeLoss said.

“That creates red flags that someone might be attempting to hijack that account,’’ DeLoss said. “You need to verify the change of address to ensure that it's legitimate.’’

Requiring patients to present ID, however, is not practical in emergency situations and could lead to malpractice allegations, DeLoss said.

To prevent and mitigate identify theft, health care providers must monitor covered accounts and contact patients to verify changes or services that have been sought, DeLoss said. And while notifying law enforcement of identity theft is crucial, it also is important not to send accounts to collection where identity theft has been suspected or confirmed.

“If you know an account has red flags, the appropriate course for you is not to go out and force collection on those who are claiming that they are not the responsible party,’’ DeLoss said. “The appropriate response would be to grant them some sort of forbearance and in the meantime attempt to determine whether or not they are the appropriate party.’’

Health care providers also should ensure that their red flag programs are regularly updated to prevent recurrence of actual experiences with identity theft and to respond to changes in the methods of identity theft and methods to detect identity theft, DeLoss said.

HITECH Grants, Loans, and Funding

Many of my clients have asked how they might benefit from the funding recently announced under the Federal Government's HITECH Act stimulus provisions.  Under HITECH, there are to be not only funding in the form of incentives to certain users, but also the possibility of disincentives for those who do not opt for Electronic Health Records ("EHRs") in a timely fashion.  In addition, funding and grants are available for underserved areas and special needs populations.  There are to be extension programs and additional support and funding available on the state and regional level.

For those unfamiliar with HITECH, please check the archives for details on how that Act provides additional funding for EHRs.  It also creates new and different compliance issues under HIPAA -- which is worth noting alone.  In addition, please feel free to contact me with further questions.

Keeping Up With National Trends

In light of the changes in my position to Chicago, Illinois, and to better keep up with National trends in Health IT legal issues, please welcome the HIT Blawg!  In the future, simply direct your browser to http://www.hitblawg.com/ for a newly-expanded scope of coverage and even more information on Health IT and the law.