TO:           PSA Clients

FROM:    John R. Outlaw, Chief Compliance Officer

RE:          FTC "Red Flags" Rule Delayed       
________________________________________

Enforcement Delayed United November 1, 2009:  The Federal Trade Commission ("FTC") has announced that enforcement of the Red Flags Rule will be delayed until November 1, 2009 for some entities, such as health care providers and small businesses. According to the FTC announcement, "...the Federal Trade Commission staff will redouble its efforts to educate them (small businesses) about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."

Compliance as Your Billing Service Provider:  As your billing service provider, PSA is clearly aware of the Red Flags Rule and our obligation to provide our services in accordance with the Red Flags Rule requirements to develop reasonable policies and procedures designed to detect, prevent and mitigate identity theft. We have performed a risk analysis; developed an Identity Theft Prevention Program; trained our staff; and we will continue to enhance existing HIPAA-related policies and procedures and/or create new policies and procedures where appropriate to address new risks for identity theft specifically related to the Red Flags Rule.

Specific Actions Necessary for Compliance:  In order for your practice to comply with the "Red Flags" Rule, the following measures must be taken to provide for the necessary administration of the Program:

• Create an initial Identity Theft Prevention Program (ref. samples published by the AMA, provided below) and have it formally approved by the Board or other equivalent governing body effective November 1, 2009.

• Have the Board officially assign a member of the senior management team with responsibility for carrying out the implementation of the Program and provide for its ongoing development, administration and oversight - including periodic updates and annual reports to the Board on the Program’s effectiveness.

• Provide training to all staff on the risks of identity theft and the elements of the Program designed to identify, detect and respond to those risks.

• Exercise appropriate oversight of "service providers" (e.g., billing companies, consultants and other contractors involved in handling covered accounts) by requiring compliance with the Red Flags Rule.     

Here is a template that the FTC published for Low-Risk Businesses:  http://www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf

The FTC has recently created several resources to assist businesses with their Red Flags compliance efforts.  Visit the FTC at www.ftc.gov/infosecurity/. 

Please contact John Outlaw at joutlaw@psapath.com or 800-832-5270 x 2945 for additional information on PSA’s policies and procedures relating to the Red Flag Rule.

• Company Profile
• News & Information
• Patient Service Center
• PSA Affiliates Login
• PathLab Coding Solutions
• Testimonials
• Contact Us
• Careers