The Federal Trade Commission (FTC) published its new Identity Theft Red Flag Rules in November 2007 pursuant to the Fair and Accurate Credit Transaction Act of 2003.1 Compliance with the Red Flag Rules (the “Rules”) by creditors2 or financial institutions that provide “covered accounts”3 is required by November 1, 2008.
Initially, the general assumption was that the Rules would apply only to financial institutions and other commercial creditors. However, FTC staff members recently have stated unofficially that hospitals and other health care providers may be subject to the Rules.4
Under these Rules, all financial institutions, most electronic service providers, and all “creditors” that hold any consumer account or other account for which there is a reasonably foreseeable risk of identity theft are required to develop and implement an Identity Theft Prevention Program (the “Program”). The Program must include reasonable written policies and procedures for detecting, preventing and mitigating identity theft in connection with new and existing accounts.
Under the FTC staff interpretation, a hospital or other health care provider would be covered under the Rules if it regularly arranges for credit, grants extensions of time to pay, or enters into other deferred payment arrangements with its patients.
To meet the requirements of the Rules, a health care provider covered by the Rules is required to implement an Identity Theft Prevention Program that accomplishes the following:
- Identifies patterns, practices or specific activities that could indicate an account holder has been the victim of or is engaged in identity theft and incorporate those “red flags” into the Program;
- Detects red flags that have been incorporated into the Program;
- Responds appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensures that the Program is updated periodically to reflect changes in risks from identity theft.
Who Must Comply with the Rules?
All financial institutions, most electronic service providers and “creditors” that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft must comply with the FTC’s Rules.
Are Hospitals and Other Health Care Providers Subject to the Rules?
While initially it was assumed that the Rules were not applicable to hospitals and other health care providers, recent unofficial statements by FTC staff indicate the agency’s view that hospitals and other health care providers will be regulated under the Rules if they regularly enter into arrangements with patients to defer or extend the time for payment for services.
What Are the Identity Theft Prevention Program Requirements?
Under the Rules, a written program that identifies and detects the relevant warning signs, or “red flags,” of identity theft should be developed and implemented. The Program also should describe appropriate responses to prevent or mitigate the crime. There also should be a plan to update the Program on a regular basis.
Who Should Be Involved in Implementing the Program?
The Program should be managed by a company’s board of directors or an appropriate committee of the board, should include appropriate staff training and should provide for oversight of any service providers.
What Are Some Examples of Identity Theft “Red Flags”?
- Unusual account activity;
- Alerts, notifications or warnings from consumer reporting agencies;
- Suspicious documents (e.g., suspected forgeries or a mismatched photo description);
- Suspicious personally identifying information (e.g., address discrepancy or inconsistent social security numbers);
- Notifications from customers, businesses, law enforcement officers or consumer victims of identity theft.
When Must the Program Be in Place?
No later than November 1, 2008, all entities governed by the Rules should have designed, implemented and started operating an internal system designed to protect against identity theft.
What Is the Potential Liability for Failing to Comply With the Rules?
Compliance with the Rules is enforced by the FTC, state attorneys general and consumers. The FTC has the authority to impose fines up to $2,500 for knowing and continuous violations of the Rules. State attorneys general on behalf of their residents can recover up to $1,000 per willful or negligent violation of the Rules, as well as attorney fees. Additionally, failure to comply may result in civil liability for negligent noncompliance to consumers in an amount equal to actual damages suffered plus attorney fees.
Is There Any Flexibility In Meeting the Requirements?
The FTC has allowed for some flexibility for financial institutions and creditors with covered accounts in developing and implementing a written identity theft program. The program should detect, prevent and mitigate identity theft in connection with existing and new accounts, but may be designed to meet the size, complexity, scope and nature of the business.
What Action Should Be Taken, Given the Fast-Approaching Deadline?
A health care provider that regularly extends credit or enters into arrangements with patients to defer payment for services should take the following actions:
- Promptly identify current policies and procedures aimed at preventing identity theft and/or that deal with identity theft “red flag” occurrences.
- Identify the accounts and the red flags that may pertain to the organization.
- Conduct a risk assessment to determine the level of risk associated with red flag occurrences and document the findings of the assessment.
- Establish a written identity theft security program, approved by the board of directors or an appropriate committee of the board, consistent with the Rules.
- Develop a training program to create an awareness of identity theft issues and to train appropriate personnel on responding to and mitigating the risks of identity theft.
- Develop a policy to implement the Program with service providers.
- Consult your legal counsel as soon as possible for assistance in creating, documenting or administering your program.