Identity Theft Red Flag Rules

Are you in compliance with the Federal Trade Commission’s (“FTC”) new identity theft Red Flag rules?

The Red Flag rules require “creditors” of “covered accounts” to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft by November 1, 2008.

The Red Flag rules were implemented under the Fair and Accurate Credit Transactions Act of 2003 and govern the actions of “creditors”. A “creditor” is defined very broadly as “any person who regularly extends, renews, or continues credit.” The FTC has taken the position that healthcare providers, including physician practices, who bill patients for services rather than requiring full payment up front, or who accept insurance but the patient is ultimately responsible for the fees, are “creditors” and thus are subject to the Red Flag rules.

An “account” is defined as a “continuing relationship established by a person with a…creditor to obtain a…service for personal, family, household or business purposes. An account includes: an extension of credit, such as the purchase of…services involving a deferred payment.” A “covered account” is defined as an “account…primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions” or any “other account…for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the…creditor from identity theft.” Due to the broad definition of “covered account,” most patient billing and medical records will be subject to the Red Flag rules.

Therefore, if you, like most medical practices, are a “creditor” with “covered accounts,” you will need to establish an identity theft prevention program which provides for the identification, detection and response to “red flags” that could indicate identity theft. “Red flags” are “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” The regulations set forth guidelines for the program and categories of relevant red flags that should be considered in developing the program. The program should be appropriate for the size and complexity of your entity and the nature and scope of its activities.

On September 30, 2008, the American Medical Association, along with 26 national medical associations, submitted a letter to the FTC disagreeing with their interpretation that physicians are “creditors” and therefore subject to the Red Flag rules. However, as of the date of this email, the FTC has not provided a response. Therefore, it is important for most healthcare providers to implement their identity theft prevention program no later than November 1, 2008.

Comments