RCPA - Rehabilitation and Community Providers Association


Red Flag Rules Take Effect August 1
June 29, 2009

The Federal Trade Commission (FTC), the Federal Reserve, and other financial regulatory agencies are phasing in new rules for institutions such as banks, credit unions, hospitals, and other providers, including physicians that govern their detection of, response to, and prevention of identity theft.  By August 1 health care providers who fall within the rules must have an identity theft prevention program that has been approved by its board of directors or an appropriate committee of the board. Overall, the "Red Flags Rules" are designed to detect, prevent, and mitigate identity theft, in particular with regard to the patient accounts that the provider maintains.

Applicability to For-profit and Nonprofit Health Care Providers
Under the Red Flag Rules, creditors that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect, and respond to practices that could indicate identity theft. Although opinions differ, it is likely that health care providers—whether they are for-profit or nonprofit—are subject to the Red Flag Rules because they are creditors, are subject to enforcement by the FTC under the FCRA, and have “covered accounts.”

Creditors. A creditor includes any person or entity that “regularly extends, renews, or continues credit.” The term credit means “the right granted by a creditor to a debtor to defer payment of debt or…to purchase…services and defer payment therefore.” For health care providers, credit would result when, for example, a health care provider grants a patient the right to defer payment for medical services rendered. Thus, a health care provider could be deemed a creditor because it regularly extends, renews, or continues credit, in the form of deferred payment for medical services to patients and others who utilize the provider's services.

Covered accounts.  The rules apply only to “covered accounts.” A covered account is defined broadly as (a) an “account … primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions;” or (b) “[a]ny other account … for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the…creditor from identity theft.” Health care patient (and perhaps other) accounts qualify as covered accounts under both prongs of the definition: patient accounts serve personal and/or family purposes because such accounts relate to medical services for individuals and/or family members and often involve or permit multiple payments or transactions; and health care provider accounts, including patient financial accounts, present possibilities for identity theft.

Requirements of a Red Flag Program
In general, this identity theft program is designed to detect red flags – "a pattern, practice, or specific activity that indicates the possible existence of identity theft." The program must be updated periodically. Risk assessment of covered patient accounts must be conducted with consideration of how those accounts are opened and accessed, and any previous experience that the provider has had with identity theft. The approved plan must provide for continued administration by the board, a committee of the board, or a designated employee in senior management to oversee, develop, implement, and administer the program.

The required elements of the identity theft program should include reasonable policies and procedures to accomplish the following:

  • Identify red flags. To identify red flags, providers should consider the types of accounts offered and maintained, the methods used to open and provide access to such accounts, any previous experience with identity theft, and any suspicious activity related to patient accounts. Providers should pay particular attention to actual or reasonably likely instances of medical identity theft.
  • Detect red flags. To detect red flags, a provider should have a process to authenticate patients, monitor transactions, and verify change-of-address requests. Such a process might include requiring patients to produce identifying information at the inception of the account and when they present for service.
  • Respond to red flags. To respond to red flags, covered entities must make appropriate responses that prevent and mitigate identity theft. For health care providers, this might include responding to identity theft alerts from law enforcement, monitoring patients' covered accounts, contacting patients when questions or concerns arise, changing passwords or security codes, or refraining from collecting on an account or selling it to a debt collector.
  • Ensure the program is updated. Covered entities should ensure the program is updated to reflect changing risks to patients or the safety of the provider from identity theft and medical identity theft. Health care providers should update their program to adequately respond to alerts from law enforcement and others, changes in the methods of identity theft, changes in the methods to detect and prevent identity theft, and changes to the health care provider's business infrastructure.
  • Obtain board approval. The covered entity's board of directors (or an appropriate board committee) must approve the identity theft prevention program and be involved directly or through a designated senior management employee in the oversight, development, implementation, and administration of the program. Covered health care providers must assign specific responsibility for implementation, to train staff, audit compliance, generate annual reports, and oversee anyone granted access to covered accounts.
Because of the impending deadline, health care providers should begin now to determine the degree and extent to which the red flag rules apply to them and mobilize compliance steps. This information was provided by Renee H. Martin of the law firm of Tsoules, Sweeney, Martin & Orr, LLC. 


< Back