FTC Red Flag Rules Enforcement Delayed Until June 1, 2010

The Federal Trade Commission (“FTC”) has again extended enforcement of the Red Flag Rules, now until June 1, 2010.

The latest delay comes at the request of Congress, which is considering a bill that amends the identity theft rule by eliminating entities with fewer than 20 employees from complying.  The House of Representatives passed that bill in late October 2009. The bill is now in the hands of the Senate.

The Red Flag Rules impact financial institutions and creditors subject to FTC jurisdiction. According to the Rules, created under the Fair and Accurate Credit Transactions Act, creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

For more information on the Red Flag Rules, visit: http://pvwlaw.wordpress.com/category/red-flag-rules/.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

FTC Extends the “Red Flag” Rules Deadline Again

The Federal Trade Commission (“FTC”) has now announced that it will postpone the enforcement of the red flag rules until November 1, 2009.  The red flag rules require creditors, including physicians and hospitals, to adopt written plans for tracking and responding to indicators of identity theft in their billing operations.  The move to extend the August 1, 2009 deadline is the third time the FTC has changed the enforcement date.  The agency is again promising additional resources and guidance.  Initially, the rules were intended to be enforced beginning in November 2008, but the agency offered a reprieve in response to significant confusion about the rules.  The FTC continues to maintain that hospitals and physicians are creditors for the purposes of the red flag rules because they accept deferred payment for their services.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Red Flag Rules Effective August 1, 2009

Just a reminder that the red flag rules will be enforced beginning August 1, 2009.  The red flag rules require creditors to implement a formal policy for detecting and preventing identity theft.  The rules were authorized under the 2003 Fair and Accurate Credit Transitions Act, which covers entities that regularly extend credit, or defer payment for services.  The FTC is still taking the position that health care providers are considered creditors under the rules.

The red flag rules require health care practices to identify red flags, or warning signs, of potential identity theft events, to develop a corporate policy for responding to such risks, and to train employees on the new policy.

Health care providers should consider the following when developing and implementing their identity theft prevention policies:

1. Identify warning signs of potential identity theft that may occur in day-to-day operations. Such red flags may include bills for services not provided, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.
2. Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.
3. Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.
4. Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.
5. Review and update the identity theft prevention policy at least annually.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Red Flag Rules – The Next Steps for Physicians

The red flag rules, which require creditors to implement a formal policy for detecting and preventing identity theft, also apply to the healthcare industry. The effective date for the red flag rules has been delayed until August 1, 2009. The red flag rules were authorized under “the 2003 Fair and Accurate Credit Transitions Act, which” covers “entities that regularly extend credit, or defer payment for services.” The FTC claims that physicians are considered creditors under the rules. However, the American Medical Association and several medical organizations are continuing to challenge what they believe is an overly broad legal interpretation. In the meantime, organized medicine and legal experts urge doctors to implement the necessary compliance measures. The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks, and train staff on the new policy.

Physicians should follow these practical tips when developing and implementing their identity theft prevention policies:

• Identify warning signs of potential identity theft that may occur in daily operations. Such red flags may include bills for services not rendered, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.

• Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.

• Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.

• Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.

• Review and update the identity theft prevention policy at least once a year.

 

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

FTC delays enforcement of the Red Flags Rules until August 1, 2009

 

The Federal Trade Commission (“FTC”) has delayed the enforcement date of the Red Flags Rules until August 1, 2009.

Last summer, the FTC announced that it would consider health care providers to be creditors when they accept insurance and bill patients after services are provided for any amounts that insurance does not pay; or if the health care providers regularly allow patients to set up payment plans after services have been performed. The FTC originally planned to begin enforcement of the Red Flag Rules on November 1, 2008, but due to concerns expressed by MGMA and others in the health care industry, the enforcement date was postponed until May 1, 2009.

As a result of continued advocacy efforts, the FTC announced on April 30, 2009, it will further delay enforcement until August 1, 2009 in order to give creditors and financial institutions additional time to develop and implement written identity theft prevention programs. The FTC also announced that it will soon release a template to assist entities with a low risk of identity theft in complying with the Red Flag Rules.

 

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

How to Identify Red Flags

 

A healthcare provider’s Identity Theft Prevention Program should identify red flags in four main categories: (1) suspicious documents; (2) suspicious personally identifying information; (3) suspicious activities; and (4) notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. 

 

All employees who interact with patients must be aware of things to look for in the following areas:

 

Suspicious documents

 

• Has a new patient provided identification documents that look altered or forged? 
• Is the photograph or physical description on the ID inconsistent with what the patient looks like? 
• Did the patient provide other documentation inconsistent with what he or she has told an employee – for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere?  

 

Suspicious personally identifying information

 

• If a patient provides information that does not match what an employee has learned from other sources, it may be a red flag of identity theft. 
• For instance, if the patient provides a home address, birth date, or Social Security number that does not match information on file or from the insurer, this may indicate fraud.

 

Suspicious activities

 

• Is mail returned repeatedly as undeliverable, even though the patient continues to show up for appointments? 
• Does a patient complain about receiving a bill for a service that he or she didn’t get? 
• Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? 

 

Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft

 

• Has the provider or an employee received word about identity theft from another source? 
• All employees must heed warnings from others that identity theft may be ongoing.

 

Although the above list provides some examples of things to look for to identify red flags, it is not intended to be an exhaustive list.  Instead, employees must continuously be aware of any signs of identity theft relevant to the healthcare provider’s practice and share this information with others involved in the Identity Theft Prevention Program.

 

 

 © 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

 

WHY DO HEALTH CARE PROVIDERS NEED TO BE AWARE OF THE RED FLAG RULES?

 

Many health care providers have been unaware of the Red Flag Rules or have been uncertain of the applicability of these requirements.  Under the Red Flag Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft.  Providers in general should be aware of the Red Flag Rules, should revisit their existing privacy and security compliance programs to ensure that the requirements of the Red Flag Rules have been addressed, and should take other actions to bring themselves into compliance with applicable requirements prior to the May 1, 2009 enforcement date.

 

Applicability to Health Care Providers

 

Under the Red Flag Rules, creditors that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect and respond to practices that could indicate identity theft.  Although opinions differ, it is likely that health care providers—whether they are for-profit or nonprofit—are subject to the Red Flag Rules because they (1) are creditors, (2) are subject to enforcement by the FTC under the FCRA, and (3) have “covered accounts.”

(1) Creditors. First, the Red Flag Rules apply to creditors.  A “creditor” is defined as any person or entity that regularly extends, renews, or continues credit.  The term “credit” means the right granted by a creditor to a debtor to defer payment of debt or to purchase services and defer payment for such services.  For health care providers, credit would result when, for instance, a health care provider grants a patient the right to defer payment for medical services rendered. Thus, a health care provider could be deemed a creditor because it “regularly extends, renews, or continues credit,” in the form of deferred payment for medical services, to patients and to others who utilize the health care provider’s services.

(2) Subject to FCRA enforcement.  The second step is to determine whether a health care provider is a creditor that is subject to the administrative enforcement of the FCRA by the FTC. An FCRA violation is enforced as a violation of the FTC Act.  Those subject to FCRA enforcement include any person, including a corporation, that violates the FCRA “irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests” of the FTC Act.  Thus, most “for profit” and “non-profit” health care providers are subject to FTC enforcement under the FCRA and, likewise, may be subject to the Red Flag Rules.

(3) Covered accounts.  Finally, the Red Flag Rules apply only to “covered accounts.” A covered account is defined broadly as (a) an “account … primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions”; or (b) “[a]ny other account … for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the … creditor from identity theft.”  Health care providers’ patient accounts appear to qualify as covered accounts under both prongs of the definition: (1) patient accounts serve “personal” and/or “family” purposes because such accounts relate to medical services for individuals and/or family members and often involve or permit multiple payments or transactions; and (2) health care provider accounts, including patient financial accounts, present possibilities for identity theft.

 

Requirements of a Red Flag Program

 

The Red Flag Rules mandate that a covered entity’s program should detect, prevent and mitigate identity theft in connection with covered accounts and should include reasonable policies and procedures to accomplish the following:

·         Identify red flags. To identify red flags, health care providers should consider the types of accounts offered and maintained, the methods used to open and provide access to such accounts, any previous experience with identity theft, and any suspicious activity related to patient accounts.  Health care providers should pay particular attention to actual or reasonably likely instances of medical identity theft, which is a growing problem.

·         Detect red flags. To detect red flags, a health care provider should have a process to authenticate patients, monitor transactions and verify the validity of change-of-address requests. Such a process might include requiring patients to produce identifying information to verify their identity at the inception of the account and when they present for service.

·         Respond to red flags. To respond to red flags, covered entities must make “appropriate responses” that prevent and mitigate identity theft.  For health care providers, appropriate responses might include responding to identity theft alerts from law enforcement or others, monitoring patients’ covered accounts, contacting patients when questions or concerns arise, changing passwords or security codes, refraining from collecting on an account or selling it to a debt collector, or notifying law enforcement as appropriate.

·         Ensure the program is updated. Covered entities should ensure the program is updated to reflect changing risks to patients or the safety of the provider from identity theft and medical identity theft. Health care providers should update their program to adequately respond to alerts from law enforcement and others, changes in the methods of identity theft, changes in the methods to detect and prevent identity theft, and changes to the health care provider’s business infrastructure.

·         Obtain board approval. The covered entity’s board of directors (or an appropriate board committee) must approve the identity theft prevention program and, thereafter, be involved directly, or through a designated senior management employee, in the oversight, development, implementation and administration of the program. Additionally, covered health care providers must assign specific responsibility for implementation, train staff, audit compliance, generate annual reports, and oversee anyone granted access to covered accounts.

 Much like the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Red Flag Rules give covered health care providers some flexibility in implementing their identity theft programs, taking into account the size and complexity of a health care provider’s business. A program developed in compliance with the Red Flag Rules may be part of a provider’s HIPAA compliance efforts. There is certainly overlap between the requirements of HIPAA and the Red Flag Rules, and many of these actions may already have been included in an organization’s HIPAA compliance efforts.

  © 2009 Parsonage Vandenack Williams LLC 

For more information, contact info@pvwlaw.com