Risk Management

Red Flags Rule, HITECH/HIPAA Obligations, and RAC Audits

The Federal Trade Commission again postponed enforcement of the “Red Flags” rule for health care providers through December 31, 2010, largely in response to a lawsuit by the American Medical Association. The Red Flags rule, passed in 2003 under the Fair and Accurate Credit Transactions Act, requires that “creditors” create a written protocol to protect sensitive financial information and notify clients of security breaches.

The HITECH Act, an amendment to the HIPAA Privacy law, passed in late 2009 as part of the American Recovery and Reinvestment Act. It requires that physicians maintain a protocol to protect patient’s sensitive health information. Violations are subject to penalty immediately, with an extended implementation period for physicians who use Electronic Medical Records systems.

As part of the Tax Relief and Health Care Act of 2006, the Centers for Medicare and Medicaid Services authorized the Medicare Recovery Audit Contractor (RAC) program to identify improper Medicare payments. A temporary “stop work” order during litigation regarding the awarding of RAC contracts was resolved in 2009 and the law was expanded to all 50 states this year. Contracted auditors across the country are paid a contingency fee to identify improper billing practices and receive a portion of the over (or under) payments they collect from health care providers.

OMIC’s professional liability policy provides coverage for patient notification costs associated with regulations such as the Red Flags rule and HITECH Act, subject to a sublimit of $10,000 per policy period. RAC audits and other “billing errors” proceedings are covered at a sublimit of $35,000 per policy period. Coverage provides reimbursement for legal and audit expenses, including shadow audits, as well as fines and penalties (where allowed by law).