On October 22, the FTC announced that enforcement of its Identity Theft Red Flag Rules, originally scheduled to begin November 1, 2008, will now be delayed until May 1, 2009. The reason for the delay is that many entities, including health care providers, have been uncertain or even unaware of their coverage under the Rules until this point. The extension will allow covered entities more time to comply with the mandate to create and implement a written identity theft prevention program. The FTC is also planning to provide additional guidance as to Rules themselves and to which entities the Rules apply, but no date has been provided for this guidance.
Which Health Care Providers Must Comply?
Created pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, the Red Flag Rules are intended to address the billions of dollars in losses each year resulting from identity theft to individuals and business. Among other entities, the Rules apply to “creditors” with “covered accounts.” This may include a health care provider, depending on its billing and collection practices.
Under the Rules, a “creditor” is any entity that regularly extends, renews, or continues credit” and the definition of “credit” includes granting a right to defer payment for any purchase or service. Health care providers that allow for the deferral of payments for medical services rendered fall under the definition of “creditor.” However, allowing patients to pay by credit card or through third party payors does not qualify as a creditor. Patient financial accounts appear to qualify as “covered accounts” under the Rules, which are defined as accounts “used mostly for personal, family, or household purposes” and permits multiple payments or transactions. Additionally, accounts which pose a foreseeable risk of identity theft are also covered.
Requirements for Health Care Providers
The Red Flag Rules are designed to allow flexibility in creating and implementing a program that is appropriate to an entity’s nature of their operations, size, and complexity. Health care providers covered under the Rules must create reasonable policies and procedures to identify, detect, prevent, and mitigate warning signs of identity theft, aka “red flags.” HIPAA privacy and security compliance, by itself, may not be sufficient to meet the requirements established by the Red Flag Rules. In addition to reviewing their HIPAA compliance procedures to determine what additional steps need to be taken, health care providers covered by the rules will need to:
- Identify red flags that signify possible identity theft and incorporate those red flags into the Program. The FTC created a non-inclusive guidance list containing 26 red flags, including suspicious documents, personal identifying information, and unusual activity from a covered account.
- Create a process to detect red flags incorporated into the program.
- Prevent and mitigate identity theft by responding appropriately to detected red flags.
- Update the program periodically to reflect changes in the risks of identity thefts by both patients and the health care provider’s business.
The written program must be approved by the board of directors or one of its subcommittees, who must also maintain management of the program or delegate it to appropriate senior employees. Additional measures must be taken to include staff training and provide effective oversight of service provider arrangements.
The delay in FTC enforcement is limited only to the Identity Theft Red Flag Rules and does not extend to enforcement of the new rules regarding address discrepancies for users of consumer reports, which are effective November 1, 2008.
The Red Flag Rules can be found at 16 C.F.R. 681. For additional information related to these Red Flag Rules and implementing an identity theft prevention program as a health care provider, please contact any member of the McGuireWoods Health Care team.