The Federal Trade Commission (the FTC) announced on April 30, 2009, that it would delay enforcement of the Red Flag Rules (the Rules) until August 1, 2009. The FTC initially announced that enforcement of the Rules would begin on November 1, 2008, but then extended the compliance date to May 1, 2009. This second extension gives health care providers additional time to develop practical and compliant identity theft prevention policies and procedures required by the Rules.
In its April 30 announcement, the FTC also said that it plans to issue a template policy for compliance with the Rules for businesses with a low risk of identity theft (e.g., those that personally know their customers). This template may be useful for small health care providers, such as solo physicians or small group practices.
FTC Explains Why the Red Flag Rules Apply to Health Care Providers
Prior to issuing the second delay in enforcement, and in response to a request from the American Medical Association, the FTC confirmed that the Rules apply to health care providers. As explained in detail in Drinker Biddle’s October 2008 Client Memorandum (available at http://www.drinkerbiddle.com/publications/), the Rules require “creditors” with “covered accounts” to develop and administer a written identity theft prevention program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or with maintenance of any existing covered account.
The Dispute Between the AMA and the FTC
In 2008, the AMA wrote to the FTC arguing that health care providers are not “creditors” under the Rules and, therefore, are not covered by them. The AMA also asserted that health care providers should not have to comply with the Rules because they already must comply with the Health Insurance Portability and Accountability Act (HIPAA). Finally, the AMA argued that applying the Rules to health care providers could have unintended consequences on the practice of medicine, such as forcing physicians to require payment at the time of services.
After meeting with AMA representatives in November 2008, the FTC issued a letter dated February 4, 2009 (the Letter), explaining why health care providers are covered by the Rules. The following is a summary of the FTC’s responses to the AMA’s arguments.
Health Care Providers Are “Creditors” Under the Red Flag Rules
In its Letter, the FTC analyzed the use of the word “creditors” in the Rules to respond to the AMA’s argument that health care providers are not creditors under the Rules. The Rules were written as part of a mandate by Congress under the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act. Under these and related laws, the terms “credit” and “creditor” include all entities that extend credit and do not exclude any industries. Congress would have had to specifically exclude health care providers from these definitions for them to be excluded from the Rules.
Furthermore, according to the FTC, the financial relationships among health care providers, patients and insurers have “fundamental credit aspects.” When health care providers submit claims to health insurers and bill patients later for the remaining unpaid amounts, the providers are deferring the patients’ payment of their share of the claims. Many times, health care providers require patients to sign acknowledgments that they will pay the amount for which they are responsible under the insurance policy. Health care providers also may use collection agencies and consumer reporting agencies to aid in the collection of unpaid bills. The FTC cited these types of activities in support of its argument that health care providers are engaged in a business involving credit.
The Red Flag Rules Complement HIPAA
In response to the AMA’s assertion that health care providers should not have to comply with the Rules because they already must comply with HIPAA, the FTC responded that the Rules complement HIPAA, rather than duplicating its requirements. While HIPAA focuses on data security to protect patient confidentiality from being breached and information misused, the Rules not only aim to protect patient information from disclosure, but also require entities to prevent the misuse of patient information after it has already been compromised. The Rules are set up to ensure that organizations are alert for signs that information is being used fraudulently to obtain services.
Having an identity theft plan in place will help prevent situations such as the medical identity theft that was discovered this year in Illinois. A woman used another person’s identity to obtain $530,000 worth of medical treatment and two surgeries for ovarian cancer at a clinic and two hospitals.
The Red Flag Rules Are Flexible
The AMA also argued that the Rules could have unintended consequences on the practice of medicine. In response, the FTC noted that in developing the Rules, it considered that creditors with a low risk of identity theft could be unduly burdened. Therefore, the requirements in the Rules are risk-based, so that the structure of an entity’s identity theft prevention program may vary depending on its level of risk.
Under the Rules, high-risk entities will have more comprehensive programs, while lowrisk entities will have more streamlined programs, and entities with minimal risk will have a very low burden under the Rules. For example, a clinic in an urban area with a high volume of patients would have a more elaborate identity theft prevention program than a small rural medical practice with familiar patients.
In a medical practice with a low risk of identity theft, policies and procedures for compliance with the Rules may include checking identification when a patient arrives for services and having a plan of action in the event that the practice becomes aware that a patient’s medical information or identity may have been compromised. In the event of potential identity theft, procedures a health care provider may adopt include halting debt collection from the patient, not reporting disputed balances to a consumer reporting agency and/or segregating the patient’s confirmed information from the disputed information.
FTC Issues Red Flag Rules Compliance Guide
The FTC issued a guide entitled “Fighting Fraud with the Red Flags Rule: A How-To Guide for Business” (the Guide) on April 2, 2009. In the Guide, the FTC discusses how businesses can create a compliant identity theft prevention program that: (1) includes reasonable policies and procedures to identify the “red flags” of identity theft; (2) is designed to detect such identified red flags; (3) lists appropriate actions that will be taken when red flags are detected; and (4) addresses how the program will be periodically reevaluated to reflect new risks. The Guide also provides information on how to administer an identity theft prevention program, including obtaining the approval of a governing board to implement the program and providing ongoing oversight of the program. The guidance provided is applicable to high-risk plans and plans for lower-risk levels.
For More Information
For assistance in developing an identity theft prevention program by the August 1, 2009, enforcement date, you may wish to review our October 2008 Health Law Client Memorandum, “Red Flag Rules Apply to Health Care Providers,” which describes the Rules’ requirements in detail. In addition, the FTC has launched a Red Flag Rules website that includes the Guide and related information, at http://www.ftc.gov/redflagsrule.