In an effort to combat identity theft the Federal Trade Commission (FTC) and several other federal agencies issued joint final rules and guidelines implementing certain requirements of the Fair and Accurate Credit Transactions Act of 2003. These rules, commonly referred to as the “Red Flag Rules” were published in the Federal Register on November 9, 2007 with a mandatory compliance date of November 1, 2008. Due to uncertainty regarding the scope of the rules the FTC agreed to suspend enforcement of the rules until May 1, 2009. Despite objections from several national health care organizations it does not appear that the May 1, 2009 deadline will further extended.
The term “Red Flag” refers to known warning signs that are indicators of identity theft. The Red Flag Rules are broad reaching in that they affect a number of business and organizations across a wide spectrum of industries. While generally applicable to other industries this article specifically addresses compliance by health care providers.
The Red Flag Rules apply to financial institutions or creditors and the covered accounts maintained by such institutions or creditors. In the health care industry most providers would fall under the creditor category. A health care provider is a creditor if it regularly:
1. extends, renews or continues credit;
2. arranges for someone else to extend credit or continue credit; or
3. is the assignee of a creditor that is involved in the decision to extend, renew or continue credit.
For example, if a health care provider does not require payment in full at the time of service and allows a patient to defer payment of all or a portion of the patient’s debt such health care provider would be considered a creditor.
If a health care provider is a creditor then it must determine if it maintains “covered accounts”. There are two types of covered accounts. The first type is an account that is used for personal, family or household purposes that involve multiple payments. The second type of covered account broadly covers accounts for which there is a foreseeable risk of identity theft. It is likely that many health care providers would have one or both types of covered accounts.
If a health care provider is a creditor and maintains covered accounts it must comply with the Red Flag Rules and implement an identity theft program. Much like the HIPAA privacy and security rules the FTC rules are flexible in the application and implementation of such a program.
There are four elements to a establishing a program for health care providers:
1. Identify relevant red flags common to the health care industry;
2. Detecting red flags;
3. Prevention and mitigation of identity theft; and
4. Periodic updating of the program.
Like the HIPAA privacy and security rules one true test of the effectiveness of any Red Flag program is whether or not the program is designed to meet the needs of the health care provider implementing the program. The program should have the backing of the board of directors or senior management and should be disseminated through the health care provider’s organization through staff training.
For more information on the Red Flag Rules please see the information posted on the FTC website at www.ftc.gov. (Just type in “Red Flag Rules” in the search box and you will be directed to a number of resources.)
