With the alarming rise of identity theft in recent years, Congress and federal regulators passed new laws aimed at protecting consumer account information in a variety of industries, including health care. Many health care providers must take steps to comply with the new "Red Flags" Rule, passed by Congress in the Fair and Accurate Credit Transactions Act of 2003. Compliance with Red Flags Rule is not difficult, but noncompliance can be costly with civil monetary penalties of $2,500 per violation.

Application of the Red Flags Rule to Providers

The Federal Trade Commission's ("FTC") Red Flags Rule reads as if it is more relevant to commercial banking institutions than physician practices or surgery centers.[1] However, the Red Flags Rule contains broad definitions of "creditors" and "covered accounts" that make it applicable to a wide array of businesses, including healthcare providers. A healthcare provider may be deemed a "creditor" if it "regularly" accepts alternatives to payment in full on the date of service. If a provider qualifies as a creditor, it must next ascertain whether it maintains any "covered accounts," i.e., any account designed to permit multiple payments, as well as any other accounts that involve a reasonably foreseeable risk of identity theft.

The Compliance Regime

Any health care provider who permits patient payment plans is likely a creditor with covered accounts for purposes of the Red Flags Rule. Such providers are required to comply with the Red Flags Rule, by developing and implementing a written Identity Theft Prevention Program (the "Program"). At the outset, providers must determine which red flags are relevant. Red flags include warning signs of identity theft such as a personal identification that looks altered or forged, alerts from credit agencies, or suspicious documents. Once relevant red flags are identified, the Program must include procedures for detecting those red flags, preventing and mitigating identity theft, and updating the Program periodically to stay current with emerging risks.

For additional guidance, providers should consult legal counsel or refer to the FTC’s guide for businesses, "Fighting Fraud With the Red Flags Rule: A How-To Guide for Business." To view this document in PDF format, click here.