By some estimates, nearly half of the health care providers in America will soon be in violation of new federal identity theft rules. The so-called “Red Flags Rule” was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, under the authority of the Federal Trade Commission (FTC). See 16 CFR 681. Many health care providers have still never heard of the Red Flags Rule, and many others are nevertheless unsure whether the law applies. Even fewer are ready now to comply. Quick action may be needed.

Under the rule, financial institutions and other “creditors” with covered accounts must have implemented written identity theft prevention programs designed to identify, detect and respond to patterns, practices or specific activities that could indicate identify theft. The definition of “creditor” is very broad and can be read to apply to many healthcare companies (recent AMA challenges to this interpretation failed – see attached FTC letter). Any entity that provides goods or services and then later bills for the goods and services is a “creditor,” so incidental bills to patients, private pay, and insurance claims can all fall under the rule because they often defer payment for goods or services. As a creditor with covered accounts, health care providers need to comply.

The FTC issued relatively little pre-implementation guidance compared to entities that typically regulate health care (such as CMS). In fact, the FTC delayed enforcement of the Red Flag Rules because of reports that numerous companies were not even aware they were covered. Originally, the plan was set to be implemented November 1, 2008 but the six month delay until May 1, 2008, was put into place to give non-financial institutions an opportunity to develop a program. Despite further attempts to delay implementation, May 1, 2009 remains the deadline for compliance, and fines can range from $2,500.00 to $11,000.00 per violation. While it is unlikely enforcers will be at your door on May 2, eventually you will probably be asked to present your plan, either during an audit or in a courtroom, and in any event it would be best to present a plan that was at first initially implemented on time.

A program designed to identify and prevent identity theft must be in writing, and tailored to the particular institution. The red flags in the program may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. When a patient claims they are receiving a bill for a provider that never served them or even a service that was never provided, for example, a red flag has likely been raised. The program must also describe the appropriate responses that would prevent and/or mitigate the crime and a detailed plan to update the program. Furthermore, senior employees or the Board of Directors should provide oversight, staff and training.

In the health care setting, it is possible that existing HIPAA required mechanisms can satisfy some of the requirements given the purported FTC “flexibility” of what a written program should be. HIPAA rules primarily address medical records, however, the Red Flag Rules also focus on financial matters. Moreover, the Red Flag Rules require an affirmative attempt by the creditors to respond to evidence of medical identity theft. A mere document will not due when a written program is called for, and HIPAA is merely a supplement, not a substitute for a proper program.

The FTC insists that that Red Flags Rule is flexible and allow creditors the opportunity to design a program appropriate to their size and complexity, as well as to the nature of the operations. In some circumstances, the FTC says, a “simple streamlined” program would be adequate, such as a requirement of checking a photo identification when services are sought, and having procedures designed to appropriately respond if alerted by law enforcement to some identity misuse. Such procedures might be common-sense. For example, when learning of identity theft, a creditor should not try to collect the debt from the person whose identity was stolen, nor reporting the debt to a credit agency, and medical providers must keep the medical information separate from the tainted financial information. It must be remembered, however, the program must be written.

Larger institutions will likely need correspondingly more robust programs given the larger likelihood of identity theft. Robust programs for larger institutions may require a privacy committee headed by a privacy officer, with members chosen from discrete departments including, for example, representatives from a pharmacy, administration, nursing, admissions, billing, etc. Formal risk assessments would likely be needed, along with reporting mechanisms, action plans, formalized procedures, employee training, oversight and periodic review.

More information can be obtained from the Federal Trade Commission website, including guidelines that the FTC believes should be helpful in assisting covered entities in designing their programs. On April 2, the FTC provided additional guidance on its new Red Flags Rule website, including a new “How To” guide.

Kevin R. McManaman