The Federal “Red Flag Rules” Require Identify Theft Prevention Programs

On May 1, 2009, the Federal Trade Commission (FTC) will begin enforcing its so-called “Red Flag Rules,” which require certain creditors to create and implement a written identity theft prevention program. Because of the broad definition of “creditor” under the Rules, many healthcare providers will likely be included. Attorneys from the law firm of Walter and Haverfield, LLP have provided the AMCNO with the following information for our members regarding the red flag rules.

Under the Rules, entities are given leeway to design and implement an identity theft protection program that is appropriate to their size, complexity and the nature of their business. However under the Rules, entities must do the following:

Step 1: Assess whether your entity is subject to the regulation.

A healthcare provider is subject to the Red Flag Rules if the provider extends credit and maintains “covered accounts”. Credit includes deferring payment for services to a later date. A “covered account” is defined as an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. Patient accounts are accounts for personal purposes and if multiple payments can be made on the account, the FTC considers it a “covered account” under the Red Flag Rules.

Step 2: Draft and Implement an Identity Theft Protection Program

Entities subject to the Red Flag Rules must design and implement an identity theft protection program which does the following:

1.) Identifies Covered Accounts.

2.) Identifies Red Flags - “Red flags” are warning signs of identity theft. Some types of “red flags” are:

  • Alerts, notifications, other warning received from consumer reporting agencies;

  • Presentation of suspicious documents (e.g., obvious forgeries or physical descriptions or photos not matching the person providing the document);

  • Suspicious personally identifiable information (e.g., fictitious addresses, inconsistent personal information; lack of correlation between SSN range and date of birth); and

  • Other suspicious activity on the account (e.g., suspicious change of address).

3.) Detects Red Flags – the Program must contain reasonable approaches to detecting the identified “red flags.” One example would be instituting a policy to verify the patient’s identity at time of registration.

4.) Responds to Red Flags – the Program must set forth a process to prevent and mitigate the damaging effects of identity theft through appropriate responses to “red flags”. Examples of appropriate responses may be:

  • monitoring covered accounts for evidence of identity theft;

  • contacting the patient or account holder;

  • changing security codes for external access to patient accounts andmedical records;

  • declining to open an account or closing an existing account; and

  • notifying law enforcement.

5.) Provides for administration of the program, periodic updates, and employee
training.

Step 3. Approve the Program

The entity’s board of directors or other appropriate committee thereof must approve the Program. Also, either the board of directors or a senior level employee must be involved in the oversight, development, implementation, and administration of the program.

Further Information

It is recommended that entities consult with legal counsel to determine if they are subject to the Red Flag Rules and to create and implement a program in compliance with the Rules; therefore, physicians are encouraged to contact their legal counsel regarding this issue. Also, if you have questions regarding the “Red Flag Rules,” you may contact the staff at the law firm that prepared this information for the AMCNO – Ms. Heather R. Baldwin Vlasuk or Amy S. Leopard at Walter & Haverfield, LLP - (216) 781-1212. Additional information on the red flag rules and identify theft may be viewed on the FTC web site at http://www.ftc.gov/bcp/edu/microsites/idtheft//  In addition, the FTC has prepared a guide for businesses – to view this guide go to http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf