Wisconsin Medical Journal
107 #8
107 #8
FTC’s Red Flag Rules mandate identity theft prevention policies by November 1
The Federal Trade Commission (FTC) has issued regulations (Red Flag Rules) that require financial institutions and “creditors” to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003. “Creditor” is defined as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” The FTC's definition of creditor is very broad and would cover many health care entities. According to the FTC, if an entity defers payment from a person and has a continuing relationship with that person, then the entity is a creditor and must comply with the Red Flag Rules.
The Red Flag Rules require “creditors” holding consumer or other “covered accounts” to develop and implement an identity theft prevention program, and to develop reasonable policies and procedures to prevent and mitigate identity theft. “Covered accounts” includes (1) an “account” offered or maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or (2) any other “account” for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. An “account” is defined as a continuing relationship established by a person with a creditor to obtain a product or service for personal, household or business purposes. Patient accounts maintained by physicians are likely to satisfy these definitions, according to the FTC.
The FTC has taken the position that health care providers (including physicians) are “creditors,” and subject to the Red Flag Rules, if they bill consumers after their services are completed, and that health care providers (including physicians) that accept insurance are considered “creditors” if the consumer is ultimately responsible for the medical fees. If businesses, including health care entities regularly extend, renew or continue credit, then they must adopt a written identity theft prevention program. Identity theft prevention programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags"- that could indicate identity theft.
There is no "one size fits all" identity theft program for health care professionals. An effective program will depend on the size and complexity of the entity. However, any program must identify patterns and practices that are red flags for identity theft (examples of “red flags” could include presentation of suspicious documents, such as altered or forged documents; presentation of suspicious personal identifying information; request for new services soon after a change-of-address request; alerts received from consumer reporting agencies); detect red flags (policies to detect red flags could include obtaining identifying information about patients, verifying the identity of patients, monitoring transactions and verifying any address changes); respond to detected red flags and mitigate them (an appropriate response may include monitoring a covered account for evidence of identity theft, changing passwords, contacting the victim, changing an account number, notifying law enforcement or taking no action); and ensure that the program is updated periodically to reflect changes in risks (providers should consider their own experiences with identity theft; changes in methods of identity theft; changes in methods to detect, prevent and mitigate identity theft; changes in the types of accounts they offer or maintain; and changes in their business arrangements). Upon development, each program must be formally authorized and adopted by the entity’s governing body or senior management, and such body or persons are required to provide on-going administrative oversight of the program’s implementation, which includes staff training and designation of an oversight employee, audit compliance, and the generation of annual assessment reports. Because many of the requirements of the Red Flag Rules overlap with requirements of the Health Insurance Portability and Accountability Act (HIPAA), health care providers are likely to already have implemented many of the required measures in their HIPAA compliance efforts.
According to the FTC identity theft in the health care arena not only poses a financial problem, but could have a devastating impact on the future health care of the person whose identity is stolen because of incorrect information in the treatment record that could form the basis for future medical care.
Separate from the “Red Flag Rules” but also of possible interest to physicians is the Address Discrepancy Rule. If businesses, including health care entities, use consumer reports to make decisions about employees or to make credit decisions about patients, they must establish reasonable policies and procedures to protect against identity theft. Essentially, if the business receives a notice of address discrepancy from a consumer reporting agency, its policies should enable the entity to make a reasonable determination that the consumer report that the entity receives, is about the person for whom it was requested. An entity's policy might include a requirement that the entity compare the consumer report information with information that the entity has on file (e.g. applications, address changes, etc.), verify the information with the consumer about whom the report was requested, verify the address through third-party sources and use other reasonable means.
The AMA has sent a letter to the FTC asserting that the Address Discrepancy and Red Flag Rules should not apply to physicians. The letter asks the FTC to delay the applicability of the Rules to physicians until it provides a legal analysis of the applicability of the Rules to health care professionals in light of legal precedent. However, at this point the FTC has not responded to the letter, and health care professionals should proceed as if the rules will apply to them on November 1, 2008.
To view the Federal Register which implements the Red Flag and Address Discrepancy rules, click here (see pages 55-59 of this document, starting with the heading "Federal Trade Commission" on page 55, for the actual rules. Starting on page 58 there is a list of 26 possible "red flags." Not all of these examples will apply to physician offices.) For more information from the FTC on these rules, click here and here.
The Red Flag Rules require “creditors” holding consumer or other “covered accounts” to develop and implement an identity theft prevention program, and to develop reasonable policies and procedures to prevent and mitigate identity theft. “Covered accounts” includes (1) an “account” offered or maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or (2) any other “account” for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. An “account” is defined as a continuing relationship established by a person with a creditor to obtain a product or service for personal, household or business purposes. Patient accounts maintained by physicians are likely to satisfy these definitions, according to the FTC.
The FTC has taken the position that health care providers (including physicians) are “creditors,” and subject to the Red Flag Rules, if they bill consumers after their services are completed, and that health care providers (including physicians) that accept insurance are considered “creditors” if the consumer is ultimately responsible for the medical fees. If businesses, including health care entities regularly extend, renew or continue credit, then they must adopt a written identity theft prevention program. Identity theft prevention programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags"- that could indicate identity theft.
There is no "one size fits all" identity theft program for health care professionals. An effective program will depend on the size and complexity of the entity. However, any program must identify patterns and practices that are red flags for identity theft (examples of “red flags” could include presentation of suspicious documents, such as altered or forged documents; presentation of suspicious personal identifying information; request for new services soon after a change-of-address request; alerts received from consumer reporting agencies); detect red flags (policies to detect red flags could include obtaining identifying information about patients, verifying the identity of patients, monitoring transactions and verifying any address changes); respond to detected red flags and mitigate them (an appropriate response may include monitoring a covered account for evidence of identity theft, changing passwords, contacting the victim, changing an account number, notifying law enforcement or taking no action); and ensure that the program is updated periodically to reflect changes in risks (providers should consider their own experiences with identity theft; changes in methods of identity theft; changes in methods to detect, prevent and mitigate identity theft; changes in the types of accounts they offer or maintain; and changes in their business arrangements). Upon development, each program must be formally authorized and adopted by the entity’s governing body or senior management, and such body or persons are required to provide on-going administrative oversight of the program’s implementation, which includes staff training and designation of an oversight employee, audit compliance, and the generation of annual assessment reports. Because many of the requirements of the Red Flag Rules overlap with requirements of the Health Insurance Portability and Accountability Act (HIPAA), health care providers are likely to already have implemented many of the required measures in their HIPAA compliance efforts.
According to the FTC identity theft in the health care arena not only poses a financial problem, but could have a devastating impact on the future health care of the person whose identity is stolen because of incorrect information in the treatment record that could form the basis for future medical care.
Separate from the “Red Flag Rules” but also of possible interest to physicians is the Address Discrepancy Rule. If businesses, including health care entities, use consumer reports to make decisions about employees or to make credit decisions about patients, they must establish reasonable policies and procedures to protect against identity theft. Essentially, if the business receives a notice of address discrepancy from a consumer reporting agency, its policies should enable the entity to make a reasonable determination that the consumer report that the entity receives, is about the person for whom it was requested. An entity's policy might include a requirement that the entity compare the consumer report information with information that the entity has on file (e.g. applications, address changes, etc.), verify the information with the consumer about whom the report was requested, verify the address through third-party sources and use other reasonable means.
The AMA has sent a letter to the FTC asserting that the Address Discrepancy and Red Flag Rules should not apply to physicians. The letter asks the FTC to delay the applicability of the Rules to physicians until it provides a legal analysis of the applicability of the Rules to health care professionals in light of legal precedent. However, at this point the FTC has not responded to the letter, and health care professionals should proceed as if the rules will apply to them on November 1, 2008.
To view the Federal Register which implements the Red Flag and Address Discrepancy rules, click here (see pages 55-59 of this document, starting with the heading "Federal Trade Commission" on page 55, for the actual rules. Starting on page 58 there is a list of 26 possible "red flags." Not all of these examples will apply to physician offices.) For more information from the FTC on these rules, click here and here.
© Wisconsin Medical Society - All rights reserved - 2008
Contact us here.