Financial institutions and creditors, including health care providers, face an impending deadline to develop and implement a written identity theft prevention program (an "Identity Theft Prevention Program") required by regulations (the "Red Flags Rule") issued by the Federal Trade Commission ("FTC") and other agencies pursuant to The Fair and Accurate Credit Transactions Act of 2003.


The Red Flags Rule requires businesses that extend credit to customers to develop a written program that identifies and responds to suspicious activities ("Red Flags") that signal possible identity theft. The Red Flags Rule became effective January 1, 2008, and requires businesses to comply by August 1, 2009.

Health Care Providers as Creditors

The Red Flags Rule applies only to "creditors" and "financial institutions" with "covered accounts." Typically, we do not think of institutions such as hospitals, physicians' practices, dental offices and non-profit organizations as "creditors." However, the FTC has taken the position that "creditor" includes any organization that provides goods or services and bills for them after the date of service. In fact, the FTC issued an article stating that "many doctor's offices, hospitals, and other health care providers are required to spot and heed the red flags that often can be the telltale signs of identity theft."

In addition, the Red Flags Rule defines "covered account" broadly to include an account for personal or family purposes designed to permit multiple payments or transactions as well as any account for which there is a foreseeable risk to customers from identity theft. Patient accounts can be either accounts for personal purposes or accounts that may be at risk for identity theft.

Developing an Identity Theft Prevention Program

The Identity Theft Prevention Program must be in writing and should include policies and procedures that: (a) identify Red Flags (through both the provider's own experiences and suggested Red Flags contained in the Red Flags Rule); (b) detect the occurrence of Red Flags; (c) designate responses to any detected Red Flags; and (d) review and update the Identity Theft Prevention Program.

The governing board of the health care provider, or the highest executive authority (e.g., president) of the provider if the provider does not have a board, must approve the Identity Theft Prevention Program. Oversight of the Identity Theft Prevention Program should include assigning responsibility for, and providing necessary training to such individuals responsible for, implementation of the Identity Theft Prevention Program, reviewing reports prepared by staff, approving material changes to the Identity Theft Prevention Program and overseeing service provider arrangements, if applicable.

The Red Flags Rule also imposes upon health care providers other measures in addition to the creation of an Identity Theft Prevention Program if a provider requests consumer reports on patients (a practice that may be used when expensive services are involved) or issues smart cards or credit cards to patients used in connection with services.

Possible Penalties for Non-Compliance with the Red Flags Rule

Although there are no criminal penalties for failing to comply with the Red Flags Rule, a health care provider subject to the Red Flags Rule who violates the Red Flags Rule may be subject to FTC enforcement activity including fines of up to $2,500 for each independent violation of the Red Flags Rule, state enforcement of up to $1,000 per violation plus attorney's fees, and litigation (including class action lawsuits) by individuals who can demonstrate damages from the health care provider's failure to comply.

Red Flags Rule Compliance Kits

Baker & Daniels has developed a "Red Flags Rule Compliance Kit" to aid organizations toward meeting their compliance obligations under the Red Flags Rule.