Many health care providers have received newsletters about the Red Flag Rules1 and are wondering if these rules, which generally appear to apply to the financial industry, really do apply to health care entities. As discussed further below, the answer is likely “yes.” The Red Flag Rules become effective November 1, 2008, and health care providers should not delay in assessing their risks with respect to identity theft, and developing policies and procedures to recognize and respond to identity theft “red flags.”
To Whom Do the Red Flag Rules Apply?
The Red Flag Rules apply to “creditors” who maintain “covered accounts.”
- “Creditor” includes any person who regularly extends, renews or continues credit, which means the right granted by a creditor to a debtor to defer payment of debt or to purchase services and defer payment therefor.
- A “covered account” is (1) an account that a creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account; and (2) any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
Although the above definitions focus on financial services entities (e.g., credit card companies and banks), hospitals and other health care providers are considered creditors with covered accounts if they provide services and permit patients to pay incrementally, for such services in accordance with a payment plan.
What Do the Red Flag Rules Require?
The Red Flag Rules require creditors with covered accounts to develop and administer a written identity theft prevention program (Program) to detect, prevent and mitigate identity theft in connection with the opening of a covered account or with any existing covered account. The Program must include reasonable policies and procedures to identify relevant identity theft red flags and incorporate them into the Program, detect red flags that have been incorporated, respond appropriately to any red flags that have been detected to prevent and mitigate identity theft, and ensure that the Program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks.
In addition, each organization to which the Red Flag Rules apply must obtain approval of its initial written Program from either its board of directors or an appropriate committee of the board of directors and, thereafter, involve the board, an appropriate committee of the board, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program. The organization must train staff, as necessary, to effectively implement the Program. Finally, the organization must exercise appropriate and effective oversight of arrangements with its service providers with respect to prevention of identity theft.
The Federal Trade Commission and the other agencies responsible for enforcing the Red Flag Rules have developed guidelines for compliance, described below, that each organization must consider and incorporate into its Program as appropriate.
Identify Relevant Red Flags. Each organization should consider the following risk factors to identify relevant red flags with respect to identity theft within the organization:
- The types of covered accounts it offers or maintains;
- The methods it provides to open its covered accounts;
- The methods it provides to access its covered accounts;
- Its previous experiences with and incidences of identity theft; and
- Methods of identity theft that have been identified and that reflect changes in identity theft risks.
Each organization should also consider the five categories of identity theft red flags listed below and include applicable examples of red flags in its Program:
- Alerts, notifications or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
- The presentation of suspicious documents;
- The presentation of suspicious personal identifying information, such as a suspicious address change;
- The unusual use of, or other suspicious activity related to, a covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft in connection with covered accounts held by the creditor.
The agency guidance includes a list of 26 examples of red flags, organized into the categories listed above, that should be reviewed by an organization as it develops its Program.
Detecting Red Flags. An organization’s Program should address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as obtaining identifying information about, and verifying the identity of, a person opening a covered account and in the case of existing covered accounts, authenticating customers, monitoring transactions and verifying the validity of change of address requests.
Preventing and Mitigating Identity Theft. A Program should provide for appropriate responses, commensurate with the degree of risk posed, to detected red flags. In determining an appropriate response, an organization should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to records or notice that a customer has provided information related to a covered account to someone fraudulently claiming to represent the organization or to a fraudulent website.
Updating the Program. Organizations should periodically update their policies and procedures (including red flags determined to be relevant) to reflect changes in risks to customers or to the safety and soundness of the organization from identity theft.
Administration of the Program. Following initial approval by the board or a committee thereof, an organization’s Program must be overseen by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management. Oversight should include assigning specific responsibility for the Program’s implementation, reviewing reports prepared by staff regarding compliance with the Program, and approving material changes to the Program as necessary to address changing identity theft risks.
Organization staff responsible for development, implementation and administration of the Program should report at least annually to the designated oversight group or individual on the organization’s compliance with the Program and the Red Flag Rules. The report should address material matters related to the Program and evaluate such issues as the effectiveness of the organization’s policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and existing covered accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for material changes to the Program.
In addition, whenever an organization engages a service provider to perform an activity in connection with one or more covered accounts, the organization should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. For example, an organization could require the service provider by contract to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider’s activities, and either report the red flags to the organization or take appropriate steps to prevent or mitigate identity theft.
What Steps Should an Organization Take to Develop a Program?
We recommend that health care providers take the following steps to develop a Program to comply with the Red Flag Rules:
- Gather a work group to consider identity theft issues at the organization and to provide input during development of the Program. It may be helpful for the group to include individuals familiar with the organization’s practices related to patient registration, billing and collection, medical records and privacy, information technology and pharmacy.
- Compile a list of the hospital’s current policies, procedures and practices that address the risks of identity theft, such as those related to HIPAA security issues, confirmation of patient identity during registration, identity of patients who are prescribed narcotics, discrepancies in insurance information, etc. Ensure that the organization’s written Program takes into account the organization’s current relevant policies and procedures as well as the regulatory requirements and agency guidance, discussed above.
- For hospitals, ensure that any plan to require identification upon patient registration does not lead to risk of violation of the Emergency Medical Treatment and Active Labor Act (EMTALA), and implementing regulations and guidance, which prohibit delaying a medical screening examination to complete registration procedures.
- Determine whether the organization uses service providers to maintain covered accounts (e.g., billing and collection services) and ensure that language requiring the service provider to implement procedures to address identity theft risks and report incidents to the organization is incorporated into the organization’s written agreement with the service provider.
- Develop processes for investigating and addressing possible incidences of identity theft. For example, how will the organization handle requests for investigation into potential identity theft from patients or staff? What will the organization do if it is determined that erroneous information has been included in a patient’s medical record due to an individual falsely claiming to be the patient and receiving care under the patient’s name?
- Ensure that staff members are adequately trained regarding the organization’s procedures to prevent, identify and respond to risks of identity theft.
Address Discrepancy Rules
In conjunction with the Red Flag Rules, the responsible agencies also released new regulations regarding notices of address discrepancy received from consumer reporting agencies (i.e., credit reporting agencies). These rules (Address Discrepancy Rules) apply to any organization that requests consumer reports and thus would include health care providers who use consumer reports as part of an employment screening process or prior to providing services to a patient who will pay out-of-pocket.
A user of consumer reports must develop and implement reasonable policies and procedures to enable the user, when it receives notice of an address discrepancy, to form a reasonable belief that the consumer report received relates to the individual about whom the user requested the report. The polices and procedures should include actions such as comparing the information in the consumer report with the information about the individual that the user maintains in its own records or obtains from thirdparty sources and verifying the information in the consumer report with the individual. If the user regularly furnishes information to consumer reporting agencies in the ordinary course of business, establishes a continuing relationship with the consumer, and reasonably believes that the consumer report provided relates to the consumer about whom the user requested a report, the user must report the consumer’s accurate address to the agency that provided the notice of address discrepancy.
To ensure compliance with the Address Discrepancy Rules, health care providers should determine whether they use consumer reports and, if so, implement policies and procedures as described above.