By: Cynthia C. Anderson
The “Red Flag” Rules (the “Rules”) which were issued late last year by the Federal Trade Commission (FTC), require federal institutions and creditors to implement programs to identify, detect and mitigate instances of identity theft. Many health care providers have been unaware of the Rules or have been uncertain whether these requirements apply to them. While they do not specifically mention health care providers, it seems likely that most providers will be subject to the Rules. The Rules were scheduled to come into effect on November 1, 2008, but the FTC has delayed their implementation until May 1, 2009. This will give providers time to determine whether the Rules apply to their operations and, if so, to implement written programs to comply with them.
The Rules apply to “creditors” with “covered accounts.” A creditor includes any person or entity who “regularly extends, renews, or continues credit.” “Credit” is defined as the right to defer payment for a debt or service. For health care providers, this would result when a patient is allowed to defer payment for medical services rendered. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Additionally, the Rules only apply to “covered accounts” which are accounts used mostly for personal, family or household purposes and that permit multiple payments or for which there is a foreseeable risk of identity theft. Patient accounts appear to qualify as covered accounts under both prongs of this definition.
The Rules require a written program to detect, prevent and mitigate identity theft. To identify red flags, the provider should consider the types of accounts offered and maintained, the methods used to open and provide access to such accounts, and any previous experience with identity theft, or suspicious activity related to accounts. To detect a red flag, a provider should have a process to authenticate patients, monitor transactions and verify the validity of change-of-address requests. Medical identity theft, particularly involving insider access to data, is specifically included in the guidelines to the Rules, and a prudent provider should oversee employee and vendor access to patient data. A provider must have in place procedures to respond appropriately if a red flag is identified or an identity theft alert is received from a law enforcement or other agency, and the procedures should be updated periodically to reflect changes in risks to patients and the safety of the provider from identity theft. Finally, the program must be managed by the Board of Directors or senior management of the provider. It should include appropriate staff training and provide for oversight of any service providers.
The Red Flag Rules give providers some flexibility in implementing their identity theft program, taking into account the size and complexity of the provider’s operations. A large clinic, for example, will need a more robust program than a two-doctor office. The Rules allow creditors to incorporate existing processes into their identity theft program and many of the actions needed to comply with them may have already been included in a provider’s HIPAA compliance efforts. The important thing is for a provider to be aware of the Rules, determine the applicability of the Rules to its operations, and to take the necessary actions to bring itself into compliance with the Rules by May 1, 2009.