Healthcare providers may not often think of themselves as part of the financial sector. So it could surprise those involved in the management of a medical practice or hospital (to name just two examples) to find that their provider entity may have legal obligations in common with banks and other financial institutions to protect against personal identity theft. These requirements are set forth under the Federal Trade Commission’s “Red Flag Rules.”

Federal Red Flag Rules

The Red Flag Rules[1] require creditor and financial institutions to have “Identity Theft Prevention Programs” designed to identify at-risk accounts, spot the occurrence of “red flags,” and prevent and mitigate potential identity theft. “Red flags” are those patterns, practices, and activities that could indicate a theft of an individual’s identity. The Federal Trade Commission[2] published the Red Flag Rules on November 9, 2007. Originally, enforcement under these rules was to commence on November 1, 2008. However, the agency announced last fall that it would delay the start of enforcement to May 1, 2009. On April 30, 2009, the agency announced a further delay in enforcement to August 1, 2009.[3] This gives covered healthcare organizations that missed the earlier compliance dates an additional but brief window for achieving compliance before the new deadline.

How to tell if your organization is covered under the Red Flag Rules

If it hasn’t done so already, management of a healthcare organization should take this opportunity to address the following questions; if the answer to both is yes, the organization has obligations under the Red Flag Rules:

  • Is our organization a creditor? Financial institutions and creditors that maintain covered accounts must comply with the Red Flag Rules. Healthcare providers are not financial institutions. But the definition of “creditor” under these rules is not restricted to banks, finance companies, mortgage brokers, and like entities. Any person who regularly extends, renews, or continues credit is covered as a “creditor” under the Red Flag Rules. This includes, for example, a medical practice that has a policy to allow patients to pay over time following the completion of services. But this also includes any provider that regularly bills patients after having rendered the services, such as for remaining fees not reimbursed by third party payors. If the provider always requires prepayment, it is not a creditor, and the analysis can end here. But any provider that regularly defers payment for goods and services is a creditor and has obligations under the Red Flag Rules if it maintains covered accounts.
  • Does our organization maintain covered accounts? Here, an “account” is defined as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes” and includes “an extension of credit, such as the purchase of property or services involving a deferred payment.”[4] A covered account is one (i) used “primarily for personal, family, or household purposes, [and] that involves or is designed to permit multiple payments or transactions” or (ii) “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the . . . creditor from identity theft.”[5] A patient account, for example, is one used for personal purposes, and if multiple payments or transactions can be made on it, consider it a covered account under the Red Flag Rules.

What must covered healthcare organizations do under the Red Flag Rules?

By August 1, 2009, covered healthcare organizations must have in place an Identity Theft Prevention Program that is appropriate to the size and complexity of the organization and the scope of its activities. Among other things, this will require developing and implementing internal policies and procedures appropriate to the organization for detecting potential identity theft and mitigating its effects. Also, any healthcare organization that requests consumer reports (e.g., on patients registering for expensive services) will need to comply with the portion of the Red Flag Rules pertaining to discrepancy notices regarding consumers’ addresses.[6] Finally, although not applicable to most healthcare providers, there are requirements specific to debit and credit card issuers for validating notifications of address changes under certain circumstances.[7] Because all covered providers must have in place an Identity Theft Prevention Program by August 1, 2009, we focus on this requirement below.

Identity Theft Prevention Program

What the program must do. Under the Red Flag Rules, an Identity Theft Prevention Program must be in writing and designed to detect, prevent, and mitigate identity theft in connection with opening a covered account or with existing covered accounts. Such a program must include “reasonable policies and procedures” to—

  • Identify and incorporate into the program those red flags that are relevant to the organization’s covered accounts;
  • Detect those red flags that have been incorporated into the organization’s program;
  • Upon detecting red flags, respond appropriately to prevent and mitigate identity theft; and
  • Update the program periodically to reflect changes in risks to patients and the safety and soundness of the organization from identity theft.[8]

How such programs must be administered. The Red Flag Rules require a covered creditor to—

  • Obtain approval of its board or appropriate board committee for the written program;
  • Involve its board, an appropriate committee of the board, or senior management in the oversight, development, implementation, and administration of the program;
  • Provide staff training necessary to effectively implement the program; and
  • Provide appropriate and effective oversight of the organization’s arrangements with its service providers.[9]

These first two bullet points contemplate significant involvement by board and upper-level management in adopting and administering the program. This should be evidenced by board resolutions approving the program, high-level communications within the organization regarding the program, and other indicia of board and senior-management involvement.

Staff training will vary depending on job function. For example, general training may be appropriate for all of an organization’s employees to acquaint them with the issue of identity theft and how it pertains to the organization and its patients. But additional, more targeted training would likely be appropriate for those staff members involved in patient registration, patient accounts, and other sensitive activities.

The fourth bullet point reflects the fact that many healthcare providers engage vendors to provide services for them. Where such services (e.g., billing and collections) involve access to covered accounts, healthcare providers must take steps to ensure that these vendor activities are done in compliance with the providers’ Identity Theft Prevention Programs. This means that the vendors must be contractually obligated to comply with the programs (e.g., by having internal policies and procedures for detecting red flags in performing services for the covered provider). Language requiring such vendor compliance could be part of the provider’s template for its business associate contracts.

Other recommendations for structuring such programs. Guidelines included in the Red Flag Rules[10] contain a number of additional recommendations for designing an Identity Theft Prevention Program. For example, in identifying relevant red flags, a creditor should consider the types of covered accounts it offers or maintains, how it opens and provides access to such accounts, and its previous experiences with identity theft. In performing this internal review, those patient accounts, billing records, etc., that contain patient identifying information should be given top priority.

The Guidelines also list examples of red flags that a creditor may consider incorporating into its program.[11] These fall under such categories as notifications/warnings from consumer reporting agencies; suspicious documentation; suspicious personal identifying information; unusual use of, or suspicious activity regarding, a covered account; and notices from customers, identity-theft victims, law enforcement, or others regarding possible identity theft in connection with a creditor’s covered accounts.

A number of examples provided under these categories would probably not often occur in a healthcare context, but others may. For example, to a healthcare provider, suspicious documentation could include patient identification documents that appear forged or altered or that contain a photograph or physical description that is inconsistent with the patient’s actual appearance. Suspicious personally identifiable information could include a patient’s address that turns out to be fictitious or a mail drop. Suspicious account activity could include where patient correspondence is repeatedly returned as undeliverable or not received. Other red flags that healthcare providers could experience include patient complaints over receiving bills for other individuals or services not received, or where a patient provides a health coverage number but no insurance card, to name just a few.

In responding to detected red flags, the Guidelines recommend that this be done in a manner “commensurate to the degree of risk posed.” This may include contacting the patient, changing passwords and security codes, reopening a covered account with a new account number, not opening a new covered account, closing an existing covered account, not attempting to collect on a covered account or selling a covered account to a debt collector, or notifying law enforcement—or, for that matter, determining that no response is warranted under the circumstance.

The Guidelines contain a number of other recommendations that healthcare organizations should consider in structuring their programs. How this is done in practice will depend on such factors as the nature of the organization and its size and complexity. A large hospital system would likely require a more sophisticated and comprehensive Identity Theft Prevention Program than would a two-physician medical practice.


Healthcare organizations that have not done so already should determine whether they are covered under the Federal Trade Commission’s Red Flag Rules. Upon having determined that it is covered under these rules, an organization must next find what its obligations are under the rules. One (perhaps the only) such obligation for a covered healthcare organization will be to have in place, by August 1, 2009, an Identity Theft Prevention Program appropriate to the organization’s size, scope, and complexity. In an industry as diverse as healthcare, this obviously precludes a “one size fits all” approach to program development. Covered healthcare organizations, therefore, may find that they need to act quickly to put into effect an appropriately tailored program between now and the new deadline for compliance.