The Federal Trade Commission, together with most other federal financial regulators jointly issued "Red Flag rules" under the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681m(e)) to require creditors to develop and implement written programs to detect, prevent, and mitigate identity theft in connection with credit transactions (hereinafter, "Program") by November 1, 2008. As is the case with the Health Insurance Portability and Accountability Act (HIPAA), the Red Flag rules provide covered healthcare entities with significant flexibility in implementing their Program, taking into account the size, complexity and nature of a healthcare provider's operations.

Hospitals and healthcare providers are generally subject to the Red Flag rules only if the provider regularly extends, renews or continues credit; arranges for the extension of credit; or is an assignee of an original creditor and participated in the decision to extend the credit, with respect to a "covered account." A covered account includes any account where (1) the debt was for personal, family, or household purposes and the credit involves or was designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to (a) customers or patients, or (b) the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The term "credit" refers to the right to defer payment of a debt or to purchase property or services and defer payment therefor. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor.

Under the Red Flag rules, creditors' written Programs must establish policies and procedures to:

  • Identify relevant patterns, practices, or activities that indicate the possible existence of identity theft (i.e., Red Flags) associated with the provider's credit accounts;
  • Detect Red Flags occurring during the operation of its credit program;
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
  • Ensure the Program is updated periodically, to reflect changes in risks.

Guidelines (published as Appendix J to 12 C.F.R. Pt. 41) also were promulgated by the federal agencies to assist creditors in creating a Red Flag Program.

Providers must obtain approval of the initial written Program from either the board of directors or an appropriate committee of the board of directors. Providers must assign specific responsibility for carrying out the Program to the board of directors, an appropriate board committee, or a designated employee at the level of senior management with respect to the oversight, development, implementation, and administration of the Program. In addition, staff must be trained to effectively implement the Program.

It is important to remember that the Red Flag rules are in addition to the HIPAA privacy rule as well as the various state security breach notification statutes, identity theft prevention laws, and federal (15 U.S.C. § 1681c(g)) and state limitations on credit card account number receipt truncation laws (i.e., laws that prohibit disclosing more than the last five digits of a credit card account number, and in some cases, the expiration date of a credit card on a credit card receipt).

A good listing of the various state security breach statutes is available online. For a more complete discussion of the Texas identity theft prevention statute, please see the May 2, 2007, issue of the Health Law Update.