Skip to Content
On November 9, 2007, the Federal Trade Commission (FTC) published the Red Flag Rules defining what a creditor and financial institution must do to implement an Identity Theft Prevention Program. The deadline for compliance was originally November 1, 2008. Many in the healthcare industry were surprised to discover that the Red Flag Rules may apply to them. Due to confusion and uncertainty about the applicability of the rule, the FTC subsequently announced that it was delaying enforcement of key elements of its identity theft detection, prevention, and mitigation rules until May 1, 2009, to allow “creditors” and financial institutions additional time to fully implement policies and procedures designed to prevent identity theft.
The Red Flag Rules add another layer of complexity to addressing the problem of health information privacy and security. Most healthcare providers already must comply with the privacy and security standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which has significant overlap with the requirements of the Red Flag Rules. However, health care providers should (1) be aware of the Red Flag Rules; (2) determine the applicability of these rules to their operations; (3) review their existing privacy and security compliance programs in light of these rules; and (4) take any necessary action to bring themselves into compliance with applicable requirements.
The Red Flag Rules provide that “creditors” with “covered accounts” that are subject to FTC enforcement under the Fair Credit Reporting Act must develop and implement a written identity theft prevention program that detects, prevents and mitigates identity theft. Healthcare providers may be considered creditors if they allow for payment on medical services provided to a patient after those services were provided and/or over a period of installment payments. Accordingly, unless the provider offers services only on a prepaid basis, it is likely a creditor for red flag purposes.
A covered account is defined broadly as (a) “[a]n account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions” or (b) “[a]ny other account . . . for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the . . . creditor from identity theft.” Patient (and perhaps other) accounts appear to qualify as covered accounts under either prong of this definition.
The FTC has defined as red flags those patterns, practices or specific activities that indicate the possible existence of identity theft. The FTC has identified five categories of red flags: (1) alerts, notifications or other warnings from consumer reporting agencies or service providers; (2) the presentation of suspicious documents; (3) the presentation of suspicious personal indentifying information; (4) the unusual use of, or suspicious activity related to, a covered account; and (5) notice from customers, law enforcement or others regarding possible identity theft.
Many healthcare providers will find that they are creditors subject to FTC enforcement with covered accounts. These providers will need to implement an Identity Theft Prevention Program. The program may be incorporated as part of the provider’s HIPAA compliance efforts, and should be appropriate to the size and complexity of the organization, and the scope of its activities. The program must be approved by an organization’s board of directors (or designated committee thereof) and contain “reasonable policies and procedures” to identify and detect red flags, respond to red flags to prevent and mitigate identity theft, and ensure it is updated periodically to reflect changes in risks to customers or to the safety and soundness of creditor from identity theft. Providers must also assign specific administrative responsibility for implementing the program, training staff, auditing compliance, generating annual reports, and overseeing anyone granted access to covered accounts.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.