On October 22, the Federal Trade Commission ("FTC") announced that it will delay enforcement of the second section of the Red Flag Rules (16 C.F.R. § 681.2) which will require many healthcare providers to implement programs to identify and respond to indicators of potential identity theft ("Red Flags"), extending the compliance deadline from November 1, 2008 to May 1, 2009. A "Red Flag" means a "pattern, practice or specific activity that indicates the possible existence of identity theft."

The FTC 's delay of the compliance deadline for the second section of the Red Flag Rules was prompted by the fact that many industries and entities were uncertain or unaware of its application to their activities. The FTC has stated that more detailed compliance guidance on the second section is forthcoming, but it is not known at this time when such guidance can be expected. The November 1, 2008 compliance deadline for the first and third sections of the Red Flag Rules remain intact. The first section (16 C.F.R. § 681.1) imposes certain duties on "users of consumer reports" who receive notice of address discrepancies, and the third section (16 C.F.R. § 681.3) imposes duties on "card issuers" with regard to changes of address and requests for replacement cards.

The FTC implemented the Red Flag Rules in order to detect, prevent and mitigate against the theft of consumers' identities by imposing certain duties on financial institutions and creditors. A healthcare provider who defers payment for medical services provided to a patient may meet the broad definition of a "creditor" required to comply with the Red Flag Rules adopted by the FTC. Mere acceptance of credit cards as a form of payment does not make a healthcare provider a "creditor." In a recent alert, the FTC has also stated that the definition of "creditors" required to comply with the Red Flag Rules includes non-profit and governmental entities who defer payment for goods and services.

Healthcare providers must determine if they meet the broad definition of "creditor." A healthcare provider that is a "creditor" must then periodically determine whether it offers or maintains "covered accounts." If a provider is a "creditor" with "covered accounts," it will be required to develop and implement a written "Identity Theft Prevention Program." Additionally, a healthcare provider who is a "user" of "consumer reports" will be required to take certain actions when it is informed of a substantial difference between the consumer's address provided to request the report and the address(es) in the consumer reporting agency's file for the consumer.

Until further guidance is obtained from the FTC, many healthcare providers have chosen to implement an Identity Theft Prevention Program before May 1, 2009, including proprietary and not-for-profit hospitals, behavioral health facilities, nursing homes, ambulatory care, surgery and diagnostic facilities, and physician practices. One of the approaches adopted by these healthcare providers is to implement the Identity Theft Prevention Program as a part of their existing HIPAA compliance plan.

The threat of identity theft in the context of healthcare services presents costly and potentially dangerous consequences for both healthcare providers and their patients. The Federal Trade Commission ("FTC") has recognized that the greatest risk for identity theft in the healthcare setting is encountered when a new account is created for a patient.[1]

The Fair and Accurate Credit Transactions Act of 2003 ("FACTA")[2] amended the Fair Credit Reporting Act ("FCRA")[3] to mandate the promulgation of regulations designed to detect, prevent and mitigate the theft of consumers' identities by imposing certain duties on financial institutions and creditors. On November 9, 2007, the FTC published the "Red Flag Rules"[4] requiring covered entities to take certain actions to further the goal of protecting consumers from identity theft. The FTC generally governs corporations and other entities operating for profit. Under the FCRA, the FTC further exercises broad authority over all entities, including nonprofit corporations, which defer payment for goods and services. In a recent alert, the FTC has also stated that the definition of "creditors" required to comply with the Red Flag Rules includes non-profit and governmental entities who defer payment for goods and services[5]. Accordingly, nonprofit hospitals and other types of health care providers who would not normally be subject to FTC jurisdiction, but who defer payment for services until after delivery of services, may also be considered "creditors" subject to the Red Flag Rules. A "Red Flag" means a "pattern, practice or specific activity that indicates the possible existence of identity theft."[6]

Recent health law commentators have concluded that, "[i]f a health care provider allows for payment on medical services provided to a patient after those services were provided and/or over a period of installment payments, the healthcare provider could be considered a creditor. Accordingly, unless you provide services only on a prepaid basis, you are likely a creditor for Red Flag Rule purposes."[7]

Applicability and Compliance with 16 C.F.R. § 681.2.

The second section of the Red Flag Rules (16 C.F.R. § 681.2) requires that, once it has been determined that a health care provider is a "creditor," the provider must periodically determine whether it offers or maintains "covered accounts."[8] A covered account is defined as an account "primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" or any other account that the creditor "offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the . . . creditor from identity theft."[9] An "account" is further defined as an "extension of credit, such as the purchase of property or services involving a deferred payment."[10] The FTC states that covered accounts which are subject to the Red Flag Rules include relationships with creditors that are not financial institutions in the traditional sense. Therefore, the purview of the Red Flag Rules is not limited to financial products or institutions, but includes other non-financial relationships to obtain products or services.[11] As a part of this periodic determination, the provider must conduct a risk assessment to determine whether it offers or maintains "covered accounts," taking into consideration: 1) the methods the provider uses to open its accounts; 2) the methods the provider uses to access its accounts; and 3) the provider's previous experiences with identity theft.[12]

If a health care provider is a "creditor" and also maintains "covered accounts," the provider must implement a written "Identity Theft Prevention Program."[13] The minimal components of an Identity Theft Prevention Program ("Program") must be designed to:

(1) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(2) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(3) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft;

(4) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft;

(5) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;

(6) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;

(7) Train staff, as necessary, to effectively implement the Program; and

(8) Exercise appropriate and effective oversight of service provider arrangements.[14]

The Red Flag Rules provide a creditor with flexibility in tailoring the design and implementation of a Program that is appropriate based on the size and complexity of the creditor, an well as the nature of its operations.[15] The Guidelines found in Appendix A of the Red Flag Rules should be of significant benefit to creditors in designing their program. The practical goal of the Program should be to identify and detect the relevant warning signs, or "Red Flags," of identity theft. Red Flags "may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents."[16] A supplement to the Guidelines identifies 26 possible Red Flags as examples that creditors may use as a starting point. These examples fall into five categories:

(1) Alerts, Notifications, or warnings from a consumer reporting agency;

(2) Suspicious documents;

(3) Suspicious personally identifying information, such as a suspicious address;

(4) Unusual use of - or suspicious activity relating to - a covered account; and

(5) Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts.[17]

Healthcare providers now have until May 1, 2009 to comply with the above-outlined second section of the Red Flag Rules.

Applicability and compliance with 16 C.F.R. § 681.1.

If a healthcare provider is also a "user of consumer reports," then it must also comply with the first section of the Red Flag Rules, which requires the user of consumer reports to take certain actions if the consumer's address supplied in the report is different from the address supplied by the consumer.[18] "This section applies to users of consumer reports that are subject to administrative enforcement of the FCRA by the FTC pursuant to 15 U.S.C. 1681(a)(1) (users)."[19] In the context of this section of the Red Flag Rules, the term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes.[20]

Healthcare providers may request consumer reports on patients when opening an account, prior to certain procedures for patients with existing accounts, or prior to initiating collection activities. If a healthcare provider does request consumer reports, then it is considered a "user" of consumer reports, and must be prepared to deal with the receipt of a "notice of address discrepancy" sent by a consumer reporting agency informing the provider of a substantial difference between the address of the consumer that the provider provided to request the consumer report and the address(es) in the reporting agency's file for the consumer.[21] If the provider is a user of consumer reports, then it must implement policies in preparation for the potential receipt of a notice of address discrepancy which enable the provider to form a reasonable belief that a consumer report relates to the consumer about whom the provider requested the consumer report, and the provider must also implement policies designed to reasonably ensure that the address of the consumer that the provider has furnished to the reporting agency from whom the provider received a notice of discrepancy is accurate.[22]

With regard to the specifics of a user's policies and procedures meant to comply with the mandated requirement to form a reasonable belief that a consumer report relates to the intended consumer rather than a person who has stolen the identity of the intended consumer, 16 C.F. R. § 681.1(c)(2) further provides, in part, as follows:

(2) Examples of reasonable policies and procedures. (i) Comparing the information in the consumer report provided by the consumer reporting agency with information the user:

(A) Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);

(B) Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or

(C) Obtains from third-party sources; or

(ii) Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.

Regarding the specifics of a user's policies and procedures meant to comply with the requirement to furnish a reasonably-confirmed accurate address for the relevant consumer to a consumer reporting agency, 16 C.F.R. § 681.1(d) further provides as follows:

A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;

(ii) Establishes a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.

(2) Examples of confirmation methods. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the consumer about whom it has requested the report;

(ii) Reviewing its own records to verify the address of the consumer;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

In summary, as of November 1, 2008, if a health care provider is a user of consumer reports, then it must implement policies in preparation for the potential receipt of a notice of address discrepancy which enable it to form a reasonable belief that a consumer report relates to the consumer about whom it requested the consumer report, and the provider must also implement policies designed to reasonably ensure that the address of the consumer that it has furnished to the reporting agency from whom it received a notice of discrepancy is accurate.

Applicability and compliance with 16 C.F.R. § 681.3.

The third section of the Red Flag Rules (16 C.F.R. § 681.3) only applies to a healthcare providers who is an issuer of a debit or credit card which may be used to obtain services on credit.[23] If a healthcare provider offers such a card to its patients, then it is a "card issuer" and must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterward (at least thirty days after receipt of a such a notification), the card issuer receives a request for an additional or replacement card for the same account.[24] Under such circumstances, the card issuer may not issue an additional or replacement card until the issuer notifies the cardholder of the request at the cardholder's former address or by any other means of communication the cardholder previously agreed to use and provides the cardholder of a reasonable means of promptly reporting incorrect address changes, or otherwise assess the validity of the change of address in accordance with policies established pursuant to the second section of the Red Flag Rules.[25] This third section of the Red Flag Rules goes on to explain alternative timing of address validation and proper forms of notice,[26] however, it appears unlikely at this time that a large number of healthcare providers will be subject to this section of the Red Flag Rules.