Compliance Resources

» Red Flag Rule
» OMIG Compliance
» Breach Notification
» HIPAA Compliance

Red Flag Rule

The Red Flags Rule* , a law the FTC will begin to enforce on June 1, 2010, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft.

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.” 

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit.

If the rule does apply, providers are required to develop and implement a written program to spot the warning signs of (red flags) of identity theft in day to day operations. The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. If an organization has a fraud prevention or security program in place that the should use that as a starting point.

If an organization is covered by the Rule, the program must:

  1. Identify the kinds of red flags that are relevant to the practice;
  2. Explain the process for detecting them;
  3. Describe how the organization will respond to red flags to prevent and mitigate identity theft; and
  4. Spell out how the organization will keep the program current.

This program must be approved by the organization’s Board of Directors.

The Red Flags Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

FTC response to AMA on the question of health care provider compliance.

The Red Flags Rule: Are You Complying with New Requirements for Fighting Identity Theft?

FTC How to Guide

Do-It-Yourself Program for Businesses at Low Risk For Identity Theft

* Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule

5/18/09 Coalition Privacy Presentation included Scope of Red Flags Rule

NY State Office of the Medicaid Inspector General

» OMIG Provider Compliance

Part 521 Provider Compliance

Organizations must comply if they are either:  

  • Licensed under Article 28 or 36 of the New York Public Health Law or Article 31 or 16 of the New York Mental Hygiene Law, or
  • Entities (or persons) that submit claims for, order, bill for or receive payment for Medicaid-covered services with a value of at least $500,000 during any 12-month period. 

An effective compliance program must include the following elements:

  • A code of conduct and written compliance policies
  • Appointment of a compliance officer
  • Training and education of employees and Board members
  • Mechanisms for reporting fraud and abuse, including an anonymous reporting option
  • Employee disciplinary policies
  • Audits and risk assessments
  • Procedures for investigating and responding to compliance problems
  • A policy prohibiting retaliation against employees for reporting fraud or abuse

Providers subject to the Regulations must be in compliance by September 28, 2009.  Providers must certify their compliance to OMIG each December.

Revised Compliance Certifications forms available on OMIG website 11/20/09.  Submission of certification is required by December 31, 2009.

Part 521 - OMIG "Provider Compliance Programs", eff. July 1, 2009
This new part will be added to Title 18 of the Codes, Rules and Regulations of the State of New York.  Providers have 90 days (until September 28, 2009) to develop and implement Medicaid compliance programs

New York State Register - June 24, 2009/Volume XXXI, Issue 25 Part 521

OMIG Part 521 Policy Templates are available through the PLC Store »

» August 18, 2009 Provider Letter
"In our continuing efforts to further improve and strengthen the Medicaid program, the OMIG
has prepared a comprehensive work plan (posted on the Web site at, to
aggressively address specific areas of the Medicaid program that are particularly vulnerable to
improper payments. The OMIG would like to place particular emphasis on the following
focus areas of its 2009-10 work plan:

• Claims submitted for medical service to deceased beneficiaries
• Claims submitted after or the failure to reimburse the Medicaid program after
third-party liability has been established
• Bills submitted to a Medicaid beneficiary for a Medicaid-covered services"

DRA Compliance - Whistleblower Protections

The Deficit Reduction Act (DRA) requires any health care entity which receives $5 Million or more from Medicaid have written policies and procedures about federal and state false claims acts and whistleblower protections.  Employees must be training on these policies and procedures.

Providers who bill $5M or more must certify annually to the Office of the Medicaid Inspector General that they have complied with the employee education requirements by January 1.  A revised (11/20/09) certification form is available on the OMIG website.

DRA Templates and Employee Training Slides are available through the PLC Store »

Other Helpful Sites

» SFY 2009-2010 OMIG Medicaid Work Plan

» Medicaid General Billing Guide for All Providers - see pages 7 & 8 for reference to 90 Day Exception Codes.