After the FTC pushed back enforcement of its "Red Flag Rules" regulations regarding identity theft prevention from the original date of November 1, 2008, these Rules will now be enforced beginning on May 1, 2009. In general, the Red Flag Rules require certain businesses acting as "creditors" to develop and implement written identity theft prevention programs that identify, detect, and respond to patterns, practices, and activities that might indicate identity theft (i.e., the "Red flags" signaling identify theft).  

The Red Flag rules apply to all "creditors" that offer or maintain one or more "covered accounts." A "creditor" is defined as a person that regularly extends credit, which includes persons that allow deferred payment of debts. A "covered account" is defined as an account for personal, family, or household purposes that permits multiple payments or transactions and any other account for which there is a reasonably foreseeable risk to the creditor of identity theft. For those health care providers that expressly offer financing or deferred payment plans, the rules clearly apply. Even for health care providers that do not engage in such practices, though, the rules may still apply. FTC personnel have indicated that physicians are "creditors" if they do not require payment up front but rather bill patients after the services are rendered. This, of course, describes the standard practices of the vast majority of physician groups and other health care providers. Indeed, these are practices that are required under most third-party health insurance arrangements. Thus, barring further guidance from the FTC to the contrary (and barring the successful pending lobbying efforts by various health care industry groups attempting to limit the scope of these rules), we advise that physician groups and other health care providers that do not require payment up front consider moving forward with compliance under the Red Flag Rules.

Thankfully, compliance with the Red Flag rules should not be too burdensome for most providers. And in many cases, a provider’s existing information privacy and security policies and procedures may already address requirements under the Red Flag rules. The provider should first identify its covered accounts. For most health care providers, its covered accounts would be its patient accounts. Second, the provider should identify identity theft red flags. These may include presentation of documents that appear to be forged or altered, suspicious changes of address, and patients demanding health records with unusual urgency or frequency. Third, the provider should have a mechanism to detect the red flags. This should facilitate the provider obtaining identifying information about, and verifying the identity of, new patients. It should also help the provider authenticate patients, monitor transactions, and verify the validity of change of address requests. Complying with this may be as simple as requiring photo ID for patients (whether new or existing patients) and requiring certain information to verify a patient’s identity over the phone, on the web, or by email. Fourth, the provider should respond appropriately to any red flags that are detected. Appropriate response might include monitoring a patient’s account for further evidence of identity theft, contacting the patient, changing passwords or security codes, foregoing collection on a patient account, notifying law enforcement, or taking no further action.

The rules specifically state that a creditor’s identity theft prevention program must be "appropriate to the size and complexity" of the creditor and to the "nature and scope of its activities." This means that a program for a physician practice need not be as complex as one for a bank or other financial institution. Thus, reasonable common sense safeguards are likely enough for most health care providers.

A provider’s board of directors must sign off on the identity theft prevention program, and the provider should train its staff on how to execute the program. Also, where the provider engages third party service providers (e.g., billing agents and practice management companies), the provider should ensure that such third parties cooperate with the provider to safeguard against identity theft.

Feel free to contact us if you have questions about whether the new Red Flag rules may apply to your organization and/or if you would like assistance in designing and implementing an identify theft prevention program and the required board approvals.