On October 22, the FTC announced that enforcement of its Identity Theft Red
Flag Rules, originally scheduled to begin November 1, 2008, will now be delayed
until May 1, 2009. The reason for the delay is that many entities, including
health care providers, have been uncertain or even unaware of their coverage
under the Rules until this point. The extension will allow covered entities more
time to comply with the mandate to create and implement a written identity theft
prevention program. The FTC is also planning to provide additional guidance as
to Rules themselves and to which entities the Rules apply, but no date has been
provided for this guidance.
Which Health Care Providers Must Comply?
Created pursuant to the Fair and Accurate Credit Transactions (FACT) Act of
2003, the Red Flag Rules are intended to address the billions of dollars in
losses each year resulting from identity theft to individuals and business.
Among other entities, the Rules apply to “creditors” with “covered accounts.”
This may include a health care provider, depending on its billing and collection
Under the Rules, a “creditor” is any entity that regularly extends, renews, or
continues credit” and the definition of “credit” includes granting a right to
defer payment for any purchase or service. Health care providers that allow for
the deferral of payments for medical services rendered fall under the definition
of “creditor.” However, allowing patients to pay by credit card or through third
party payors does not qualify as a creditor. Patient financial accounts appear
to qualify as “covered accounts” under the Rules, which are defined as accounts
“used mostly for personal, family, or household purposes” and permits multiple
payments or transactions. Additionally, accounts which pose a foreseeable risk
of identity theft are also covered.
Requirements for Health Care Providers
The Red Flag Rules are designed to allow flexibility in creating and
implementing a program that is appropriate to an entity’s nature of their
operations, size, and complexity. Health care providers covered under the Rules
must create reasonable policies and procedures to identify, detect, prevent, and
mitigate warning signs of identity theft, aka “red flags.” HIPAA privacy and
security compliance, by itself, may not be sufficient to meet the requirements
established by the Red Flag Rules. In addition to reviewing their HIPAA
compliance procedures to determine what additional steps need to be taken,
health care providers covered by the rules will need to:
Identify red flags that signify possible identity
theft and incorporate those red flags into the Program. The FTC created a
non-inclusive guidance list containing 26 red flags, including suspicious
documents, personal identifying information, and unusual activity from a
- Create a process to detect red flags incorporated into the program.
- Prevent and mitigate identity theft by responding appropriately to
detected red flags.
- Update the program periodically to reflect changes in the risks of
identity thefts by both patients and the health care provider’s business.
The written program must be approved by the board of directors or one of its
subcommittees, who must also maintain management of the program or delegate it
to appropriate senior employees. Additional measures must be taken to include
staff training and provide effective oversight of service provider arrangements.
The delay in FTC enforcement is limited only to the Identity Theft Red Flag
Rules and does not extend to enforcement of the new rules regarding address
discrepancies for users of consumer reports, which are effective November 1,
The Red Flag Rules can be found at
16 C.F.R. 681. For additional information
related to these Red Flag Rules and implementing an identity theft prevention
program as a health care provider, please contact any member of the McGuireWoods
Health Care team.