New Requirements for Fighting Medical Identity Theft


by Brian R. Carney

In 2007, due to the increasing problems caused by identity theft generally, the Federal Trade Commission (“FTC”) issued regulations requiring financial institutions and creditors with covered accounts to develop and implement written identity theft prevention programs. Under these regulations, known as the “Red Flag Rules,” the identity theft prevention program must provide for the identification, detection, and response to patterns, practices, or specific activities – the red flags – that could indicate identity theft. Although the final rules became effective on January 1, 2008, the FTC recently announced that it would delay enforcement of the rules until August 1, 2009, because many entities are uncertain about their coverage under the rules.

Many healthcare providers, including doctors’ offices, may be subject to the Red Flag Rules even though such entities are not normally considered “creditors” in the traditional sense and even if they already meet existing privacy and security obligations under the Health Insurance Portability and Accountability Act. If your business or practice regularly extends, renews, or continues credit, your business or practice is a “creditor” for purposes of the Red Flag Rules. The FTC has expressly rejected the notion that physicians’ offices are not covered under these rules. In fact, according to the FTC, a physician or other healthcare provider is a “creditor” if the provider regularly bills patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. You may also be a “creditor” if you help patients obtain credit from other sources.

The second key term for coverage purposes – “covered accounts” – is defined as any account used mostly for personal, family, or household purposes that involves multiple payments or transactions, or other accounts for which there is a foreseeable risk of identity theft.

The Red Flag Rules allow covered entities to tailor identity theft programs that are appropriate given their size and complexity and the nature and scope of their activities. However, even where the risk of identity theft is low in a particular practice, a required identity theft program must include the following policies and procedures: (1) identify the kinds of red flags that are relevant to your practice; (2) explain your processes for detecting them; (3) describe how you’ll respond to red flags to prevent and mitigate identity theft; and (4) spell out how you’ll keep your program updated.

Although there are no criminal penalties for failing to comply, violators may be subject to substantial monetary fines. Failure to comply might also increase your practice’s tort exposure to liability with respect to patients who are damaged by identity theft on or after August 1. More importantly, an effective identity theft prevention program will help reduce costs associated with unpaid medical bills racked up by scam artists.

In light of these requirements, it is recommended that you consider the following action:

  • Review your billing and payment procedures to determine whether you are covered by the rules;
  • If covered, develop and implement a written identity theft prevention program;
  • Appoint a senior level employee to oversee and administer the program; and
  • Train staff employees as needed.