Susan E. Gindin
The Federal Trade Commission's identity theft "red flags" rule has wide-sweeping ramifications for thousands of healthcare providers nationwide.
At a Glance
Important questions for hospitals to ask regarding the Federal Trade Commission's identity theft "red flags" rule include:
- What is the compliance deadline?
- Who must comply?
- What is required for compliance?
- What about HIPAA?
- What are the consequences of failure to comply?
According to the Federal Trade Commission (FTC), identity theft was the number one consumer complaint lodged in 2008. The FTC estimates that as many as nine million Americans have their identities stolen each year.
To stem the growing problem of identity theft, the FTC, the federal banking regulatory agencies, and the National Credit Union Administration (NCUA) issued the "red flags" rule on Nov. 9, 2007, as part of Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The rule is aimed at detecting, preventing, and reducing identity theft. (To access the rule, "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003," go to ftc.gov/redflagsrule.)
The rule requires certain businesses to develop identity theft protection programs or risk associated fines and other consequences. Affected organizations--including healthcare providers that allow consumers to make payments over time--must develop internal procedures to detect and respond to suspicious activity, or "red flags," that could indicate identity theft.
What Is the Compliance Deadline?
The compliance deadline for the rule was originally set for Nov. 1, 2008, but the FTC has delayed its enforcement until Aug. 1, 2009. The FTC moved the compliance deadline in part because it perceived that many entities, including healthcare providers, were unaware that they are regarded as "creditors" under the rule, especially as many of them had not been required to comply with the FTC's rules in other contexts.
Who Must Comply?
The FTC has confirmed that healthcare providers that regularly offer credit or payment plans to patients, or that allow patients to pay over time in installments, must comply with the rule by August 1. The rule does not apply to entities that accept payment by credit card only on a single-transaction basis.
In a Feb. 4, 2009, letter to Margaret Garikes, director of federal affairs for the American Medical Association, the FTC's Eileen Harrington explained:
The Red Flags Rule is intended to address all forms of identity theft, including those involving the provision of health care. . . . Medical identity theft can surface when a patient seeks care using the name or insurance information of another person, which can result in both false billing and the potentially life-threatening corruption of a patient's medical records. A nationwide survey conducted for the FTC found that 4.5 percent of the 8.3 million victims of identity theft had experienced some form of medical identity theft, including the fraudulent use of their health insurance to obtain medical care or to obtain health insurance in their name. The incidence of medical identity theft may be increasing.
All healthcare entities that allow patients to make payments over time are thus required to establish and maintain a written program, although the details will vary depending on factors such as the size of the healthcare provider, the kinds of consumer accounts the organization maintains, and the potential risk of identity theft.
What Is Required for Compliance?
Affected organizations must create and institute a written program appropriate to their size and operations that:
- Identifies "red flags"--patterns, practices, and specific forms of activity that indicate the possible existence of identity theft--and provides procedures for detecting them in day-to-day operations
- Proposes responses if red flags are detected in order to prevent identity theft for occurring or to reduce its effect if it has already occurred
- Provides for training of staff and oversight of any service providers
- Provides a plan for periodic updating of the program
- Is well-documented and approved by the board of directors, board committee, or senior management (if there is no board)
Each requirement is explained more fully below.
Identification of red flags and detection in day-to-day operations. The rule provides an extensive list of potential red flags for organizations to use in identifying potential red flags and in detecting red flags in their day-to-day operations.
For hospitals, an appropriate first step before providing medical services (and one that most hospitals already perform) is to check photo IDs and insurance information or credit card to ensure that these forms of identification match the person and name on the account. Attempted use of a photocopied driver's license as proof of identification, or of an ID on which the photo or physical information does not match the patient's appearance, would be red flags.
Other examples of red flags that a healthcare provider might identify and use in its day-to-day operations to detect identity theft include:
- Identifying information that is inconsistent when compared with external information sources--an address, for example, that does not match any address in the consumer report, or a Social Security number that has not been issued or is listed on the Social Security Administration's Death Master File
- A suspicious patient address--a mail drop, for example, or prison address--or telephone number that is invalid or is associated with a pager or answering service
- Account statements mailed to the patient that are returned repeatedly as undeliverable
Responses to prevent or mitigate identity theft. The program must also plan for appropriate responses to prevent or mitigate identity theft if a red flag is detected. Examples of possible appropriate responses a healthcare provider may take include:
- Ensuring that information relating to the identity thief is not commingled with information relating to the victim (e.g., medical records or consumer reports)
- Contacting an insurance carrier to prevent the misuse of stolen information
- Notifying the patient of any potential fraud
- Changing account numbers
- Notifying law enforcement
- Delaying billing the consumer until the provider is able to determine that there is no identity theft
Training of staff and oversight of service providers. The program must include staff training, and provide oversight for any service providers who have access to patient information.
Periodic updating. The program must provide a plan for periodic updating of the program (for example, to determine whether it is working and address any new means of identity theft).
Board approval. The initial written program must be approved by the board of directors or a committee of the board. If the entity has no board of directors, the plan must be approved by senior management. The board, board committee, or senior management must also oversee the implementation and administration of the program, review reports regarding the program (which must be prepared by staff annually), and approve significant changes to the program.
The FTC does not expect a "one-size-fits-all" approach to compliance. The program should be appropriate to the healthcare provider's size, operations, and potential risk. A small medical group that knows its patients could have a streamlined and much less complex program than a hospital. In fact, the FTC has posted a do-it-yourself template to help such "low-risk" organizations create an appropriate program.
What About HIPAA?
In some respects, the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA) overlap the red flags rule's requirements. The FTC maintains, however, that the rule picks up where HIPAA's data security requirements leave off, so healthcare providers still must have a red flags program.
In her Feb. 4, 2009 letter to the AMA, the FTC's Eileen Harrington explained:
A comprehensive approach to combating medical identity theft . . . must include measures aimed not only at preventing the compromise of patient information, but also at preventing or mitigating the misuse of that information if it is compromised. The Rule is designed to prevent identity theft primarily by ensuring that organizations are alert to signs that an identity thief is using someone else's identifying information fraudulently to obtain products or services, including services such as medical care. Thus, the Red Flags Rule generally complements rather than duplicates the HIPAA data security requirements.
What Are the Consequences of Failure to Comply?
Theinitial written program, reports, and any decisions made regarding the program must be well documented. The current penalties for failure to comply with the "red flag" rule include fines of up to $2,500 per violation and regulatory enforcement actions. There is also a risk of harm to the organization's reputation.
There are benefits to compliance. The rule will likely become a standard of care for appropriate handling of consumer information. In addition, a healthcare provider's well-documented and compliant program will be helpful if the organization is ever implicated in the identity theft of one of its patients.
Finally, it's important to remember that the focus of the rule is to prevent identity theft in the first place, and such prevention also benefits organizations that are required to have a program in place. After all, the goal of the identity thief is to avoid paying altogether. An effective red flags identity theft program will help an organization avoid providing services to those who have no intention to pay.
The final compliance deadline is fast approaching. It is therefore critical that hospitals' financial leaders be able to answer two questions without hesitation: Does my organization qualify as a "creditor" under the "red flags" rule? And, if so, what steps has my organization taken to ensure compliance by Aug. 1? Any uncertainty about the answers to either of these questions means it is time for quick action.
Susan Gindin, JD, is an attorney and Of Counsel, Isaacson Rosenbaum P.C., Denver (firstname.lastname@example.org).
Publication Date: Wednesday, July 01, 2009