games 2009 annual convention august 2, 2009 the king & prince resort st. simons island, georgia

The “Red Flags” Rule:

What DMEPOS Providers Need to Know About Complying with New

Requirements for Fighting Identity Theft

GAMES 2009 Annual Convention August 2, 2009

The King & Prince Resort St. Simons Island, Georgia

Presented by…

Mark J. Higley –

Vice President/Development VGM Group, Inc.

Most HME/DME organizations have been unaware of the “Red Flag Rules” …or have been uncertain of the applicability of these requirements.

Providers should immediately become aware of these rules, should revisit their existing privacy and security compliance programs to ensure that the requirements of the Red Flag Rules have been addressed, and should take other actions to bring themselves into compliance with applicable requirements.

In general healthcare “creditors” that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect and respond to DMEPOS facilities that could indicate identity theft.

With few exceptions, each company represented here today must comply.

The effective date WAS August 1, 2009 (!)

FTC AGAIN POSTPONES ENFORCEMENT OF RED

FLAGS RULE On July 29, 2009 the FTC announced another

delay in the enforcement date of the so-called “Red Flags Rule” (the Rule). The FTC indicated that enforcement of the Rule is now postponed until November 1, 2009. The Rule was originally scheduled to be enforced on November 1, 2008, but the enforcement date was postponed to May 1, 2009, and then until August 1, 2009.

The new delay will give creditors who are subject to the Rule an additional three months to come into compliance.

It also leaves open the possibility that new legislation or changes in the Rule will narrow its scope or reduce the burdens of compliance.

The House Appropriations Committee also asked the FTC to defer enforcement and to make additional efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems.

In any case, you will receive an attachment today to assist your facility in understanding and to comply with the Red Flag Rules, as well as the “Address Discrepancy Rules” which were effective November 1, 2008.

While the American Medical Association (AMA) and a significant number of medical societies and associations protested the inclusion of health care providers, including clinicians, among those required to comply with the Red Flag and Address Discrepancy Rules, on February 4, 2009, the Federal Trade Commission had issued a letter confirming that clinicians and related health care providers must comply with the Red Flag and Address Discrepancy Rules.

The Red Flag and Address Discrepancy Rules require clinicians and healthcare providers, among other individuals and businesses deemed as “creditors” (including banks, mortgage lenders, credit unions, utility companies, car dealers, and telecommunications companies) to develop and implement a formal written program to detect, prevent and mitigate identity theft, including medical identity theft.

While the Red Flag and Address Discrepancy Rules are similar and contain many of the same content and requirements as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, they are intended to not only prevent the compromise of patient information, but also to prevent or mitigate the misuse of such information if it is compromised.

The Red Flag and Address Discrepancy Rules are designed to avert identity theft by ensuring that organizations are alert to signs that an identity thief is using someone else’s identifying information fraudulently to obtain products and services, including medical care. As indicated by the Federal Trade Commission, the Rules are meant to complement rather than duplicate privacy and security requirements under HIPAA.

Scalable… Like the HIPAA Security Rule, the Red Flag and

Address Discrepancy Rules are “flexible” in that a DMEPOS facility may tailor creation and implementation of its identity theft program based on the degree of identity theft risk faced by the DMEPOS facility. For example, a large multi-location DMEPOS facility may need a more robust program than a small single location DMEPOS facility.

The “deadlines”… The Red Flag and Address Discrepancy Rules

were published in final form on November 9, 2007, 72 Fed. Reg. 63718 (Nov. 9, 2007). While they were published together, they are in fact separate regulations.

With few exceptions, all DMEPOS (HME/HME, O&P, Re-hab, Supplies) facilities are now likely to be required to be fully compliant with the Red Flag Rule by November 1, 2009. The compliance deadline for the Address Discrepancy Rule was November 1, 2008.

The Red Flag and Address Discrepancy Rules do not require the appointment of an individual to oversee the identity theft program; however, it is recommended that the DMEPOS facility consider doing so.

This individual may be your identified HIPAA Privacy or Security Official or a designated staff member, such as the DMEPOS facility manager or administrator.

However, every company should begin to create a written “Identity Theft Prevention Program”.

The steps… Read the Overview of the Red Flag and Address

Discrepancy Rules Designate a Privacy Official to Oversee the Program Perform a Risk Analysis Develop a Written Identity Theft Prevention Program Obtain Approval of the Written Identity Theft

Prevention Program Develop an Identity Theft Database Document and Train Staff on the Identity Theft

Prevention Program Obtain Signed Workforce Confidentiality

Agreements from All Staff Monitor Compliance With the Identity Theft

Prevention Program

Step 1: Read the Overview of the Red Flag and Address Discrepancy Rules

The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e).

A healthcare provider must comply with the Red Flag Rule if the provider meets the definition of “creditor” under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A healthcare provider must comply with the Address Discrepancy Rule if the provider uses consumer credit reports.

The main purpose of the Red Flag and Address Discrepancy Rules is to develop and implement a formal written program to detect, prevent and mitigate identity theft, including medical identity theft, in connection with establishing new or maintaining existing “covered accounts.”

WHAT IS MEDICAL IDENTITY THEFT?

Medical identify theft occurs when someone uses a person’s name and/or other part of their identity without that person’s knowledge or consent to obtain medical services or goods, or when someone else uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.

WHAT IS A COVERED ACCOUNT?

A covered account is (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Bottom line… If a health care provider extends credit to a

consumer by establishing an account that permits multiple payments, the provider is a creditor offering a covered account and is subject to the Red Flag rules.

With few exceptions, all attendees here today are subject to the rules!

Unlike the HIPAA Privacy and Security Rules, the Red Flag and Address Discrepancy Rules state that entities, including health care providers, who offer credit to consumers (in this case, patients) must be able to detect evidence of identity theft that arises when dealing with consumers (again, in this case, patients). One way to identify identity theft is through a “red flag.”

Another way is through a “Notice of Address Discrepancy.”

WHAT IS A RED FLAG & A WHAT IS A NOTICE OF

ADDRESS DISCREPANCY?? A red flag is a pattern, practice, or specific

activity that could indicate identity theft. A Notice of Address Discrepancy is a notice

that a credit bureau sends to a person or business that ordered a credit report about a consumer which informs the consumer of a substantial difference between the address for the consumer in the credit bureau files and the person or business who ordered the report.

The Address Discrepancy Rule requires all users of consumer credit reports, including healthcare facilities, to develop policies and procedures designed to enable the facility to form a reasonable belief that a credit report belongs to the patient for whom it was requested.

For example, if a facility offers patients the use of a healthcare financing organization and as part of the qualifying process reviews the patient’s credit report, the DMEPOS facility must comply with the Address Discrepancy Rule.

If the DMEPOS facility receives a Notice of Address Discrepancy from a nationwide consumer reporting agency (such as Equifax, Experian, and/or Transunion) indicating that the address given to the DMEPOS facility by the patient differs from the address on the credit report, it must have a policy in place to determine how the discrepancy will be reconciled.

Means of Complying with the Red Flag and Address Discrepancy Rules

Like the HIPAA Security Rule, the Red Flag and Address Discrepancy Rules were purposely written broadly. The specific measures that one DMEPOS facility uses to comply with the Rules may vary from the specific measures taken by another DMEPOS facility.

For example, measures taken to prevent identity theft used by a 20 branch office location DMEPOS facility will likely be quite different from those used by a single location DMEPOS facility with five employees. However, the process set forth in this manual is applicable to all DMEPOS facilities.

In deciding what specific measures to use in order to comply with the Red Flag and Address Discrepancy Rules, each DMEPOS facility must consider the following:

1. The size, complexity, and capabilities of the DMEPOS facility including

– The types of covered accounts it offers and maintains

– The methods it provides to open its covered accounts

– The methods it provides to access its covered accounts

– Its previous experiences with identity theft

2. The probability and criticality of potential risks surrounding identity theft.

As the DMEPOS facility evolves, it must monitor, keep current, and document the measures it takes to prevent identity theft in connection with new and existing covered accounts.

Step 2: Designate a Privacy Official to Oversee the DMEPOS facility’s Identity Theft Prevention Program

The Red Flag and Address Discrepancy Rules do not require the DMEPOS facility to designate an individual who oversees the DMEPOS facility’s Identity Theft Prevention Program and is able to respond to identity theft incidences and crimes. However, it is recommended that the DMEPOS facility consider doing so.

This individual may be your identified HIPAA Privacy or Security Official or a designated staff member, such as the DMEPOS facility manager or administrator, and will be responsible for the DMEPOS facility’s compliance with the Red Flag and Address Discrepancy Rules.

Additionally, this position will be responsible for executing whatever changes or modifications need to be implemented as identified during your risk assessment and as required by the Rules.

If your DMEPOS facility is organized as a separate legal entity (such as a corporation or partnership), you should also specifically indicate the name of the person that you have appointed to be the Privacy Official for the year within the entity’s corporate minutes.

As it evolves, the DMEPOS facility’s on-going analysis of its Identity Theft Prevention Program may indicate that the Privacy Official’s responsibilities may need to be modified as a partial response to the DMEPOS facility’s modified means of compliance with the Red Flag and Address Discrepancy Rules.

As additional clarification of the Rules is provided by the Federal Trade Commission, these responsibilities may need to be modified.

Place this form and other relevant forms in a permanent Red Flag and Address Discrepancy Rules folder or binder to serve as part of your DMEPOS facility’s overall Compliance Plan.

Step 3: Perform a Risk Analysis While most health care providers already

have privacy and security risk assessments in place as a result of compliance with the HIPAA Privacy and Security Rules, the DMEPOS facility may need to expand its risk analysis to consider medical identity theft scenarios. A thorough assessment may require additional considerations beyond those addressed in the DMEPOS facility’s HIPAA Privacy and Security risk assessments.

The risk analysis should consider potential circumstances that might pose a risk if proper measures were not put in place. Potential circumstances would include, for example, breaches caused by unauthorized uses, lack of processes associated with verifying and authenticating a patient’s identity, and unsecured access to patient information, that may occur absent the appropriate measures to prevent identity theft.

A complete analysis should consider both “outsider” threats as well as “insider” threats. An “outsider” threat may be associated with a breach that occurs by an individual that is not employed by the DMEPOS facility, while an “insider” threat is associated with a person who is employed or has authorized access to the DMEPOS facility’s patient information.

The Privacy Official should use the Red Flag and Address Discrepancy Rules Risk Analysis provided in the attachments as a guide to assess the DMEPOS facility and prepare it for detecting red flags and complying with the Rules.

The Red Flag and Address Discrepancy Rules Risk Analysis allows you to clearly identify and document your decisions regarding prevention and mitigation of identity theft. Additionally, it should be reviewed periodically based on the changes and evolution of the DMEPOS facility.

TO DO: Fill in your DMEPOS facility Name on the

attachment Exhibit 1. Photocopy Exhibit 1 (all pages) for each

DMEPOS facility location. (Keep a master copy for future quarterly or annual assessment reviews). Follow the checklist.

Answer the questions to identify your current operational procedures.

NOTE: If multiple locations are operated by your

DMEPOS facility, a risk analysis should be conducted at each location.

Place the Red Flag and Address Discrepancy Rules Risk Analysis in a permanent Red Flag and Address Discrepancy Rules folder or binder to serve as part of your DMEPOS facility’s overall Compliance Plan. File subsequent revisions to the Risk Analysis in this folder as well.

Step 4: Develop a Written Identity Theft Prevention Program

Under the Red Flag and Address Discrepancy Rules, creditors (in this case, DMEPOS facilities) who maintain covered accounts are required to implement an Identity Theft Prevention Program. The goal of this program is to assist the DMEPOS facility in identifying, detecting and mitigating risks of identity theft affecting its patients.

The Identity Theft Prevention Program must include four (4) required elements consisting

of policies and procedures to:

Identify relevant red flags for the covered accounts that the DMEPOS facility offers or maintains and incorporate these red flags into its Identity Theft Prevention Program.

Examples of red flags include, but are not limited, to the following…

A complaint or question from a patient based on the patient’s receipt of a bill for another individual, a bill for a product or service that the patient denies receiving, a bill from a health care provider that the patient never patronized, and/or notice of insurance benefits (Explanation of Benefits) for health services never received.

Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.

A complaint or question from a patient about the receipt of an account statement or a collection notice from a collection agency for services that the patient did not receive.

A patient or insurance company report that coverage for legitimate healthcare services is denied because insurance benefits have been depleted or a lifetime cap has been reached when the patient claims that he/she has not received that level of services.

A complaint or question from a patient about information added to a credit report by a health care provider or insurer.

A dispute of a bill received from the DMEPOS facility by a patient who claims to be the victim of any type of identity theft.

A patient who has an insurance number but cannot produce an insurance card or other physical documentation of insurance coverage.

A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

Receipt of a Notice of Address Discrepancy from a patient.

Note: Any of the above Red Flags will take on greater importance and priority of investigation if the patient has also filed a police report regarding identity theft.

Detect red flags that have been incorporated into the Identity Theft Prevention Program.

Examples of policies and procedures intended to detect red flags include, but are not limited to, the following…

During patient intake DMEPOS facility staff should review and include in each patient’s file a photo ID issued by a local, state, or federal government agency (e.g., a driver’s license, passport, military ID, etc.).

In the event the patient does not have photo ID, DMEPOS facility staff should ask for two forms of non-photo ID, one of which has been issued by a state or federal agency (e.g., Social Security card and a utility bill or company or school identification).

Each time a patient visits the DMEPOS facility, DMEPOS facility staff should check whether the identification provided is valid, copy the identification provided, and match any photo to the patient/responsible party.

Prevent and mitigate identity theft by appropriately responding to red

flags that are detected.

Examples of appropriate responses include, but are not limited to the following…

Monitoring a covered account for evidence of identity theft by “flagging” the account either on paper or electronically for ease of identification.

Contacting the patient and explaining the circumstances of the situation.

Changing any passwords, security codes, or other security devices that permit access to a covered account.

Reopening a breached covered account with a new account number.

Not opening a new covered account Closing an existing breached covered

account. Not attempting to collect on a covered

account or not transferring a covered account to a debt collector.

Notifying law enforcement. Determining that no response is warranted

under the particular circumstances.

Update the Identity Theft Prevention Program by periodically reviewing its effectiveness and updating it to reflect changes in risks to patients or the DMEPOS facility as a result of identity theft.

Examples of changes in risks include, but are not limited to the following…

The experiences of the DMEPOS facility with identity theft.

Changes in methods of identity theft. Changes in methods to detect, prevent, and

mitigate identity theft. Changes in the types of accounts that the

DMEPOS facility offers or maintains. Changes in the business arrangements of

the DMEPOS facility, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

In addition to these required elements, the Identity Theft Prevention Program must also incorporate four (4) administration components to including…

1. Involving the Board of Directors, or an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and

administration of the program. In the case of a DMEPOS facility, the designated

employee may be your identified HIPAA Privacy or Security Official or a designated staff member, such as the DMEPOS general manager or owner.

This employee is required to report to the Board of Directors or the owner (in the case of an individually owned DMEPOS facility), at least annually, regarding the DMEPOS facility’s compliance with the Red Flag and Address Discrepancy Rules.

The update provided by this employee should address material matters related to the identity theft program and evaluate issues including, but not limited to, the effectiveness of the DMEPOS facility’s Identity Theft Prevention Program, significant incidents involving identity theft and the DMEPOS facility’s response, and recommendations for potential material changes to the Identity Theft Prevention Program.

Signatories approving the written plan may include the President of the Board of Directors or the owner, in the case of an individually owned DMEPOS facility. In addition, the Board of Directors or the owner is required to review reports presented by the DMEPOS facility’s Privacy Official or designated employee and approve material changes to the Identity Theft Prevention Program.

2. Obtaining approval of the initial written Identity Theft Prevention Program from the DMEPOS facility’s Board of Directors, an appropriate committee of the Board of Directors, or owner (as applicable).

3. Training staff, as necessary, to effectively implement the program.

The Red Flag and Address Discrepancy Rules require that the DMEPOS facility’s staff and clinicians be trained, as necessary, to enable them to identify and address the risk of identity theft. For example, there may be general training for all employees, with more in-depth training for those employees whose job duties are most likely to place them in positions to identify identity theft.

Additionally, if the DMEPOS facility utilizes credit reports in any way, its staff and clinicians must also be trained on the DMEPOS facility’s policies to verify the identity of the patient when a Notice of Address Discrepancy is received from a consumer reporting agency.

4. Exercising appropriate and effective oversight of service provider arrangements.

In the case of a medical DMEPOS facility, this would include any third party service provider, such as collection agency or billing agent, who the DMEPOS facility engages to perform an activity in connection with one or more covered accounts.

The DMEPOS facility is required to take steps to ensure that the services provided by the third party are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

For example, the DMEPOS facility could require in its service agreement with the third party service provider or by amending the Business Associate Agreement to have policies and procedures in place as required by the Red Flag Rule, to detect relevant red flags that might arise in the performance of the service provider’s activities.

Step 5: Obtain Approval of the Written Identity Theft Prevention Program

As indicated in Step 4, the Red Flag and Address Discrepancy Rules require approval of the initial written Identity Theft Prevention Program by the DMEPOS facility’s Board of Directors, an appropriate committee of the Board of Directors, or owner (as applicable).

Signatories approving the written plan may include the President of the Board of Directors or the owner, in the case of an individually owned DMEPOS facility. It is recommended that documentation of the approval be included as part of the written Identity Theft Prevention Program.

In addition, the Board of Directors or the owner is required to review reports presented by the DMEPOS facility’s Privacy Official or designated employee and approve material changes to the Identity Theft Prevention Program.

Such approval should also be appropriately documented.

TO DO:

Obtain documented approval of the initial written Identity Theft Prevention Program. (See Exhibit 2).

Obtain documented approval of any future material changes to the Identity Theft Prevention Program.

Step 6: Develop an Identity Theft Database In order to easily track identity theft breaches

that have occurred in the DMEPOS facility, it is recommended, but not required, that DMEPOS facilities develop and maintain an identity theft database. This can be done utilizing either a computer spreadsheet or table, or creating a “log” of written breaches. Regardless of the medium chosen to record identity theft, a database will allow the DMEPOS facility to record the appropriate information necessary in identifying, tracking and rectifying identity theft breaches.

The DMEPOS facility should utilize the Identity Alert Form included as Attachment C to populate the database with information detailing the identity theft breach or incident.

TO DO:

Develop an identity theft database utilizing the fields or categories illustrated in Exhibit 3.

Populate the database with the recommended information each time an identity theft breach occurs.

Step 7: Document and Train Staff and clinicians on the Identity Theft

Prevention Program All staff and clinicians (your workforce) must be

trained on the Red Flag and Address Discrepancy Rules including the DMEPOS facility’s Identity Theft Prevention Program and how it affects their individual job responsibilities. A Red Flag and Address Discrepancy Rules Training Checklist is provided in Exhibit 4 to assist your Privacy Official in conducting training.

All staff and clinicians should be given a copy of the DMEPOS facility’s Identity Theft Prevention Program and should sign it as proof that they have reviewed and understood it.

TO DO: Fill in DMEPOS facility Name on Exhibits 4 & 5 Photocopy the Training Checklist and Training

Documentation Form as needed for each training session conducted.

After the training session, have staff and clinicians record their names, titles, and signatures on the Training Documentation Form.

The Privacy Official should maintain the Training Documentation Form(s).

The Privacy Official should review and revise, if necessary, all training materials. The introduction to this manual and many of the exhibits in it may be used as training tools for staff and clinicians.

Schedule the first training session for all currently employed staff and clinicians as well as other workforce members, such as volunteers.

Employees should be encouraged to ask questions in the event of confusion or questions regarding the Red Flag and Address Discrepancy Rules and the DMEPOS facility’s Identity Theft Prevention Program.

Modify the new employee orientation checklist to include time set aside for Red Flag and Address Discrepancy Rules training and to make certain that the employee has signed the Training Documentation Form.

NOTES: All new employees must receive training on the

Red Flag and Address Discrepancy Rules training as a part of their initial employee orientation.

Any time there is a material change in the DMEPOS facility’s Identity Theft Prevention Program that affects the DMEPOS facility and how the staff conducts business, the employees whose functions and responsibilities are affected by the change must receive additional training.

While not required, records of clinician and staff training should be maintained by the DMEPOS facility.

Step 8: Obtain Signed Workforce Confidentiality Agreements from

All Staff and clinicians

Although the Red Flag and Address Discrepancy Rule does not require employees to sign a confidentiality agreement, the Rules do require a DMEPOS facility to implement the policies and procedures outlined in its Identity Theft Prevention Program. Further, the Rules do require a DMEPOS facility to train its workforce members regarding such policies and procedures

As a suggestion… All employees (including clinicians) may sign a

Workforce1 Confidentiality Agreement. This agreement requires the employee to keep all patient information confidential and abide by the DMEPOS facility’s Identity Theft Prevention Program.

The signed agreement may (if followed and enforced) substantiate your DMEPOS facility’s training and compliance efforts in the event of a violation of the Red Flag and Address Discrepancy Rules.

TO DO: Fill in DMEPOS facility Name on Exhibit 6. Photocopy the Workforce Confidentiality

Agreement. Distribute the Workforce Confidentiality

Agreement to staff and clinicians. Collect a signed agreement from staff and

clinicians and return them to the Privacy Official. Revise the DMEPOS facility’s new employee

orientation checklist to include the following step: “Sign your DMEPOS facility’s Red Flag and Address Discrepancy Rules Workforce Confidentiality Agreement.”

Place the signed agreement in the employee’s personnel file.

NOTE: If you have already implemented Workforce

Confidentiality Agreements as a part of your current HIPAA policies and procedures, you will want to update them to include the Red Flag and Address Discrepancy Rules.

State laws may vary regarding use of the Workforce Confidentiality Agreement as a condition for new or continued employment. Consult with your attorney prior to the use/enforcement of the agreement in your jurisdiction.

If this is a new policy of the DMEPOS facility, it is recommended that all current employees sign one of these agreements (included as Exhibit 6). In the future, the signing of this agreement should be part of the orientation for all new workforce members.

Step 9: Monitor Compliance with the Identity Theft Prevention

Program The Red Flag and Address Discrepancy Rules

require the DMEPOS facility to periodically monitor its compliance efforts and update its Identity Theft Prevention Program to reflect changes in the risks to patients and to the safety and soundness of the DMEPOS facility from identity theft. The Privacy Official has the responsibility to monitor the DMEPOS facility’s compliance with the Red Flag and Address Discrepancy Rules.

The Privacy Official should encourage all staff and clinicians to communicate openly with him/her concerning any potential identity theft breaches and to provide recommendations for how the DMEPOS facility could be better organized to protect patients’ identities.

Note that no clinician, provider, or staff member is exempt from adhering to the Red Flag and Address Discrepancy Rules.

If staff members are aware of a possible violation of the Red Flag and Address Discrepancy Rules that involves the Privacy Official, then they should be encouraged to communicate directly with the owner/general manager of the DMEPOS facility or another individual who is in an executive leadership position.

TO DO: The Privacy Official should create

processes to monitor compliance, and to periodically review and update the policy.

The Privacy Official should offer a mechanism by which staff can address concerns with the DMEPOS facility’s Identity Theft Prevention Program without the risk of repercussions to themselves.

Take appropriate actions on all possible violations of policy.

Appropriate measures need to be taken by the Privacy Official to prevent repeat violations or potential violations of the Red Flag and Address Discrepancy Rules.

The DMEPOS facility should document any sanctions/discipline applied to its employees/workforce members and place such documentation in the employee’s personnel file.

The FTC has established a Web site, www.ftc.gov\redflagsrule, with resources designed to help entities determine if they are covered and, if so, assist them in complying with the Rule.

The Web site includes an online compliance template that enables companies that are at low risk for identity theft to design their own written identity theft programs through an easy-to-use form.

The Web site also includes articles directed to specific businesses, including health care providers, a guidance manual, and frequently asked questions (FAQs) to help companies navigate the rule.

The FAQs indicate that FTC staff would be unlikely to recommend bringing a law enforcement action against entities that know their customers as clients individually, or operate in sectors of the economy where identity theft is rare and which have not themselves been the target of identity theft.

Time Allowing Appendix…

MIPPA & Competitive Bidding Update

MIPPA required that most all DMEPOS suppliers and subcontractors be accredited by October 1, 2009.

HOWEVER – The health reform bill America’s Affordable Health Choices Act of 2009 (H.R. 3200) includes an extension of the Oct 1 accreditation deadline for any Part B supplier of DMEPOS if they have submitted an application for accreditation by August 1, 2009. This extension will be effective until such time as the accreditation organization has completed the accreditation process- no hard deadline for completing the process (!)

The bill would also remove the accreditation requirement for pharmacies only supplying diabetic testing supplies, canes and crutches

Exemption of surety bond requirements for pharmacies who provide Part B DMEPOS products if that pharmacy has held a provider number for at least 5 years and a final adverse action has never been imposed on that pharmacy.

Competitive Bidding…

MIPPA allowed items that were not subject to competitive bidding to receive an inflation update for 2009 equal to the percentage increase in the consumer price index for all urban consumers (“CPI-U”) for the 12-month period ending with June 2008.

For 2010 through 2013, fee schedules will be increased annually to reflect the CPI-U increase (although in areas where competitive bidding is implemented, contract pricing will apply).

In 2014, the fee schedule for items not furnished in a CBA will again be updated for inflation.

Additionally, the payment amounts for those items included in round one and subject to the 9.5 percent cut in 2009 will be increased by 2 percent, unless the Secretary has otherwise adjusted the rate for the item (under the Secretary’s authority to use payment information obtained through the competitive bidding program to adjust rates outside of a CBA), or if the item is being furnished in a CBA.

However… Over the last 12 months the index has

fallen 1.4 percent, as a 25.5 percent decline in the energy index has more than offset increases of 2.1 percent in the food index and 1.7 percent in the index for all items less food and energy.

The CPI-U (measured from one June to the following June) dictates in statute the Medicare HME update for the following year. Therefore, the DMEPOS fee schedule update on January 1, 2010 will be negative 1.4 percent

Round One Rebid Timeline June 4, 2009: Initial PAOC meeting July 1, 2009: CMS-1413-P Published in FR August 31, 2009: Comment period for CMS-

1413-P closes Summer 2009: CMS Announces Bidding

Schedule/Education Schedule Summer 2009: Bidder registration begins

– IACS Registration– User IDs and Passwords issued

Fall 2009: 60-day bidding window– Covered Document Review Date occurs

September 30, 2009: Accreditation Deadline

October 2, 2009: Surety Bond Deadline Winter 2009/Spring 2010: Bid Evaluation Period Spring 2010: Single Payment Amounts

announced Summer 2010: Round 1 Rebid contracting

period Summer 2010: Contract Supplier education

period Fall 2010: Beneficiary, referral agent and

general supplier education period January 2011: Effective date of Round Rebid

contracts

CMS-6006-F Medicare Program - Surety Bond

Requirement for Suppliers of Durable Medical Equipment,

Prosthetics, Orthotics, and Supplies (DMEPOS)

Bottom line… On January 2, 2009 CMS published a final

rule imposing surety bond requirements on certain DMEPOS suppliers.

Specifically, suppliers generally will be required to post a $50,000 surety bond from an authorized surety, unless (1) the supplier is a high-risk supplier, in which case the bond amount will be increased, or (2) the supplier qualifies for an exemption from the surety bond requirement.

A separate surety bond will required for each NPI obtained for DMEPOS billing purposes. 

With regard to high-risk suppliers, CMS requires an elevated surety bond amount of $50,000 per occurrence of an adverse legal action (e.g., revocation of Medicare billing number; suspension of a health care license by a state licensing authority; revocation or suspension of accreditation; felony conviction; or federal or state health care program exclusion or debarment) within the 10 years preceding enrollment, revalidation, or reenrollment. 

Limited Exceptions… CMS has adopted exceptions to the surety

bond requirement for physicians and nonphysician practitioners (NPPs) furnishing the items to their own patients as part of their professional service.

Likewise, CMS has created an exception for the provision of orthotics, prosthetics, and supplies by (1) state-licensed orthotic and prosthetic personnel and (2) state-licensed physical and occupational therapists providing such items to their own patients. 

A supplier must submit the surety bond with its initial Medicare enrollment application or with its revalidation or reenrollment application. 

In addition, DMEPOS suppliers must submit a surety bond when a change of ownership occurs or when seeking to enroll a new location (unless the DMEPOS supplier is a sole proprietorship). 

Effective dates…

The rule is effective March 3, 2009.  Existing suppliers must comply with the

surety bond requirement 9 months after enactment (October 2, 2009).

New enrolling suppliers or suppliers seeking to change ownership after the effective date had to have met this requirement 120 days after the effective date (May 4, 2009).

Shortly CMS is expected to notify each existing DMEPOS supplier by mail of the need to obtain an elevated bond to maintain its enrollment in the program. DMEPOS suppliers that have a significantly higher level of risk must maintain the higher surety bond amount for 3 years.Suppliers will be required to use a firm from the Federal surety approval list.

The surety bond must be a continuous bond as opposed to annual bond.

Suppliers will be required to use a firm from the Federal surety approval list.

CMS will generally revoke a DMEPOS supplier's billing privileges if an enrolled supplier fails to obtain, timely file, or maintain a surety bond as specified in the Final Rule and CMS instructions. CMS may also require that a DMEPOS supplier demonstrate compliance with the surety bond requirements at any time.

The Surety The surety is liable for unpaid claims, civil

money penalties (CMPs) and assessments taking place during the bond or rider. The surety’s liability is limited, however, to the penal sum of the bond.

CMS reserves the right to immediately draw claims from the surety to collect debts or in the event that it finds sufficient evidence of wrongdoing; CMS need not wait for the entire appeals process to exhaust itself. It should also be noted that CMS has not granted the surety the same appeal rights that the supplier has.

The Agency also estimates that as many as 25,188 DMEPOS providers will exit Medicare due to the combined costs of the surety bond and accreditation requirements.

Universe of all DMEPOS Suppliers

< $300,000 103,227

5,386

1,322

194

$300K - $1M

$1M - $3M

$3M - $10M

>$10M 43Source: CMS, August 2008

Revised CMS-855S Enrollment Application

Effective June 1, 2009 DMEPOS suppliers submitting applications to Medicare must use the revised CMS-855S form. Applications submitted after June first using the old 855-S form will be rejected.

The revised CMS-855S adds a 26th Supplier Standard - “All DMEPOS suppliers must obtain a surety bond in order to receive and retain a supplier billing number” - and includes a new section for reporting surety bond information (Section 12).

Unless you are exempt, the following information must be reported in Section 12

of the revised form: Surety Bond Company (the company who will be held

liable for your bond) The company’s Name and address (as reported to the

IRS) The company’s E-mail address, fax and phone number The company’s Tax identification number (TIN) Insurance Agency / Broker (the agency/broker who issued

your bond) The agency / broker’s name and address (as reported to

the IRS) The agency / broker’s TIN The name of the individual agent who issued your bond The Surety Bond amount, number, and effective date A copy of your surety bond must be submitted with the

application. 

Section 12: CMS-855s

Section 12: CMS-855s

Update on Supplier Standards 26 Standards include accreditation (4) and

surety bond (1) additions. The 2008 proposed rule that would expand

the enrollment requirements that DMEPOS suppliers to establish and maintain Medicare billing privileges was NOT finalized.

The rule would have prohibit DMEPOS suppliers from sharing a practice location with another Medicare supplier, including a physician group or another DMEPOS supplier.

CMS also proposed several new standards, including requirements that suppliers: be open to the public at least 30 hours per week (except for certain suppliers of custom-made or -fitted orthotics and prosthetics); obtain oxygen from a state-licensed oxygen supplier in states that license oxygen suppliers; and not have an Internal Revenue Service or state taxing authority tax delinquency. 

The rule proposed clarifying a number of existing requirements, including: clarifying that the DMEPOS supplier itself must be licensed to provide licensed services (i.e., it cannot contract with another individual or entity to provide the licensed service); establishing additional physical facility standards that suppliers must meet and specifying that “closed door” businesses (i.e., pharmacies/suppliers providing services only to beneficiaries residing in a nursing home) must comply with these standards; and excluding the use of cell phones and pagers for receiving public calls during business hours.

Again, the proposed rule was not finalized and compliance is not required.

Accreditation Update… Suppliers are reminded to update the NSC with

accreditation information via the CMS-855S form.

The information provided to the NSC by the accrediting organizations is for verification purposes. If a supplier has decided to change products or services due to accreditation exemptions or requirements, this information must be reported to the NSC to make sure that all information is current and up-to-date.

As a reminder, the NSC shall revoke the billing privileges of suppliers that are not compliant with accreditation requirements by the October 1st deadline. Don’t Wait!

Accreditation reminder…

If you have completed the accreditation process and are credentialed by one of the 10 organizations deemed by CMS for accreditation, forward your information to the NSC to avoid backlogs and disruption of work processes for applications. Remember, the earlier you remit your information, the more confident you feel about the security of your Medicare billing privileges.

Suppliers should complete section 2G of the CMS 855S enrollment form to notify the NSC of their accreditation information. Suppliers should also complete sections 2B and 2D if accredited products or services are different from what the NSC has on file for the supplier.

Other sections that should be submitted along with section 2G are sections 1B, 2A1, 3, 13 & 15 of the (03/09) version of the 855S.

When is a supplier required to send in a change of information?

Supplier standard #2 requires suppliers to notify the NSC of any change to the information provided on the CMS 855S within 30 days of the change. Therefore, it is mandatory for suppliers to notify the NSC when there has been any change in addresses, products/services or ownership or any other information on the supplier file. Failure to notify the NSC properly could result in the revocation of billing privileges. If a supplier is unsure as to whether a change should be reported, the supplier should contact NSC customer service at 866-238-9652.

Thank you GAMES!

Mark J. Higley – Vice President/Development, VGM Group, Inc.