Important Legislative Updates From OAA- Red Flags and Surety Bonds


DMEPOS Surety Bond- Opticians Are Not Exempt

DMEPOS Surety Bond and Accreditation Requirement for Medicare Billing Privileges

Per final regulations implemented by CMS, DMEPOS suppliers will be required to become accredited to obtain and maintain Medicare billing privileges by October 1st of this year, others may be required to post a surety bond by October 2nd to secure Medicare billing privileges and most will be required to provide both.

Frank Whelan, the CMS agency administrator for the new requirements, informed the Opticians Association of America on September 9, 2009 that opticians are not exempt from the Medicare suppliers’ surety bond requirement due Oct. 1st for DMEPOS.  However, opticians are exempt from accreditation.

What you need to do if you are in the process of being accredited or obtaining a surety bond:

The Centers for Medicare & Medicaid Services (CMS) encourages all DMEPOS suppliers currently in the midst of the accreditation process to correct all outstanding deficiencies on your accreditation report, so that a site visit or accreditation decision can be rendered by the October 1, 2009 deadline.  CMS also encourages all DMEPOS suppliers, subject to the bonding requirements, to obtain a surety bond.

While the DMEPOS Accrediting Organization will notify the National Supplier Clearinghouse (NSC) that you are accredited, you will need to notify the NSC that you have obtained your surety bond.  When submitting your DMEPOS surety bond to the NSC, you should submit sections 1, 2A1, 12, and either 15 (if you are the authorized official) or 16 (if you are the delegated official) of the Medicare enrollment application (CMS-855S).  By submitting the required sections of the CMS-855S, you will help to ensure that NSC is able to correctly associate your DMEPOS surety bond to your enrollment record.

For additional information regarding DMEPOS accreditation or the provisions associated with a surety bond, go to

Frequently Asked Questions (FAQs) on the surety bond requirement can be found on the NSC’s FAQ page at


The “Red Flags” Rule: With identity theft on the rise in the healthcare industry the FTC has mandated a new rule to protect you and your customers.

WHO MUST COMPLY according to the Federal Trade Commission?

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Creditor Defined: Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources – for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

Covered Account Defined: The second key term “covered account,” is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

As a practical matter, most businesses and organizations that provide products and services to their customers and then bill them later are covered by the Rule.

Note: If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your practice

2. Explain your process for detecting them

3. Describe how you’ll respond to red flags to prevent and mitigate identity theft

4. Spell out how you’ll keep your program current.

The FTC provides a do it yourself form for a Red Flag program at the following link

If more help is needed to determine if your business needs to abide by the Red Flags Rule click on the following link to view the FTC’s 17 page booklet for a thorough explanation:

VEW Mid-Page 19