The Red Flags Rule* , a law the FTC will begin to enforce on June 1, 2010, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft.
Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit.
If the rule does apply, providers are required to develop and implement a written program to spot the warning signs of (red flags) of identity theft in day to day operations. The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. If an organization has a fraud prevention or security program in place that the should use that as a starting point.
If an organization is covered by the Rule, the program must:
This program must be approved by the organization’s Board of Directors.
Part 521 Provider Compliance
Organizations must comply if they are either:
An effective compliance program must include the following elements:
Providers subject to the Regulations must be in compliance by September 28, 2009. Providers must certify their compliance to OMIG each December.
Revised Compliance Certifications forms available on OMIG website 11/20/09. Submission of certification is required by December 31, 2009.
Part 521 - OMIG "Provider Compliance Programs", eff. July 1, 2009
» August 18, 2009 Provider Letter
• Claims submitted for medical service to deceased beneficiaries
DRA Compliance - Whistleblower Protections
The Deficit Reduction Act (DRA) requires any health care entity which receives $5 Million or more from Medicaid have written policies and procedures about federal and state false claims acts and whistleblower protections. Employees must be training on these policies and procedures.
Providers who bill $5M or more must certify annually to the Office of the Medicaid Inspector General that they have complied with the employee education requirements by January 1. A revised (11/20/09) certification form is available on the OMIG website.
Other Helpful Sites
» Medicaid General Billing Guide for All Providers - see pages 7 & 8 for reference to 90 Day Exception Codes.
123 William Street, 19th floor, New York, NY 10038
Phone: (212) 742-1600
Fax: (212) 742-2080
Send an email
© 1997-2019 The Coalition