Laura Gerdes Long
Note: On October 30, 2009, enforcement of the FTC Red Flags Rule was again postponed, this time to June 1, 2010, at Congressional request. Also on October 30, 2009, the U.S. District court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. The American Bar Association had filed a lawsuit against the FTC alleging that a “creditor” cannot include professionals such as lawyers or healthcare providers. In addition, the House of Representatives passed a bill on October 20, 2009, excluding health care, accounting and legal practices with 20 or fewer employees from the definition of “creditor”. That bill has gone to the Senate.
Identity theft is rampant in today’s society. As many as ten million individuals per year become victims of identity theft and the number of medical identity theft cases are on the rise. In response to this growing problem, several federal agencies jointly promulgated regulations that require certain entities to implement a plan to detect, prevent, and correct identity theft. The “Red Flags Rule” applies to various types of entities, including most healthcare providers. Thus, entities ranging from a small doctor’s office to a hospital must be in compliance with the new Red Flags Rule by the date on which the Federal Trade Commission (“FTC”) will begin enforcing the Rule. After that date, an entity may be penalized up to $3,500 per violation. Thus, healthcare providers need to take steps to comply, including creating an Identity Theft Prevention Program.
Before understanding the Rule, a healthcare provider must determine whether it is subject to the Rule in the first place. Under the Red Flags Rule, any “creditor” that offers or maintains one or more “covered accounts” is required to develop and implement a written Identity Theft Prevention Program. A “creditor” is defined as any person who regularly extends, renews, or continues credit. Healthcare providers will be considered a “creditor” if they regularly bill patients after the completion of services, allow payment plans after services have been rendered, or aid patients in obtaining credit from other sources (see note).
Under the Rule, a “covered account” is defined as (1) an account a creditor offers or maintains that involves or is designed to permit multiple payments or transactions, and (2) any other account the creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft. The second portion of the definition is very broad and may include records that an entity may not recognize as a “covered account.” For healthcare providers, this definition of “covered account” generally encompasses patient and employee records. Thus, the vast majority of healthcare providers are subject to the Red Flags Rule and must comply.
Development of Identity Theft Prevention Program
With proper guidance, a healthcare provider can establish an Identity Theft Prevention Program that will comply with the Red Flags Rule. The Red Flags Rule does not require any specific practices or procedures, because it provides flexibility to tailor a Program to the nature of the business and the risks its faces. In other words, the Program is scalable to the size and complexity of the entity and the nature and scope of its activities. In the case of a company at high risk for identity theft, such as a large hospital system, the Program may need more robust procedures, including strict verification procedures for each and every patient’s identity. However, such extensive procedures would be inappropriate for a low-risk company, such as a solo practitioner, who can identify and verify each patient. Thus, there are no set procedures for a Program, but it is a discretionary decision that should be made by someone knowledgeable about the business and its day-to-day operations.
Although the Red Flags Rule does not establish specific procedures, it does require that any Program include “reasonable” policies and procedures to:
- Identify relevant patterns, practices, and specific kinds of activity that may be “red flags” signaling possible identity theft;
- Detect red flags;
- Respond to those detected red flags to prevent and mitigate identity theft; and
- Update the Program periodically to reflect changes in identity theft risks.
For red flag identification, a healthcare provider should review its own experiences with identity theft and incorporate that knowledge into the Program. Red flags should include concerns raised by patients — both internally and externally. Some examples of such red flags could be suspicious account activity, inconsistent personally identifying information, inconsistent medical histories, and possibly altered identification documents. For red flag detection, a healthcare provider should state what procedures will be in place in the day-to-day operations to detect red flags, which may include procedures to authenticate a new patient and verify the validity of any changed information. For prevention and mitigation of identity theft, a healthcare provider should take necessary steps such as notifying the real patient or law enforcement, monitoring an account and correcting the medical record. Lastly, a healthcare provider must periodically review and reflect on its experience with identity theft and update its Program to verify the effectiveness of the Program.
Even if the Red Flags Rule does not apply to your practice, it may still be advisable to develop an Identity Theft Prevention Program. In the event of a medical identity theft, the federal government and health insurance companies may require a healthcare provider to pay reimbursement for claims made. Furthermore, if a healthcare provider files a claim and later learns that medical identity theft has occurred without taking corrective measures, the provider may be subject to criminal and civil penalties based upon fraud. Importantly, medical identity theft also puts the life of the victim at risk, which plainly could lead to potential civil liability for a healthcare provider. False entries in a medical history can lead to improper medical treatment, denial or exhaustion of health insurance, or an individual’s uninsurability for life or health insurance. An Identity Theft Prevention Programis an important tool for a healthcare provider to minimize its liability and risks, and risks to its patients, even if it is not subject to the new Red Flags Rule.
The task of developing an Identity Theft Prevention Programmay seem daunting, but a provider should not feel overwhelmed. A successful Program for a healthcare provider will build on existing efforts already in use to combat fraud and protect patient privacy. A healthcare provider should review and adapt its current tools used to comply with HIPAA and state privacy, security, and breach notification laws to satisfy the new Red Flags Rule. Thus, with its current tools and available resources, a healthcare provider is already on the way to developing a compliant Identity Theft Prevention Program.
Implementation and Administration
Healthcare providers must be mindful of key issues regarding the implementation and administration of an Identity Theft Prevention Program. Staff training and delegation of duties may generate issues for a healthcare provider attempting to implement and administer such a Program. Internal staff must be trained as necessary. If a healthcare provider outsources or subcontracts portions of its operations that would be covered by the Red Flags Rule, then the Program must address how the provider will monitor the contractor’s compliance. Furthermore, periodic supervision and review after any incident of identity theft will be invaluable to the proper functioning of a Program.
Management and the board of directors of a healthcare provider are required by the Red Flags Rule to play a central role in the creation, implementation and continued administration of the Program. According to the regulations, either the board of directors, or an appropriate committee thereof, must approve the initial written Program. Other responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the practice is complying with the Rule, and approving important changes to the Program. The board of directors should also receive at least annual reports regarding the administration of the Program. Thus, it is critical that a board of directors or management remain active in the administration of the Program to ensure compliance with the Rule. Mere creation of a Program will not shield a healthcare provider from civil fines under the Red Flags Rule.
Conclusion
When the FTC begins enforcing the Red Flags Rule, it will require any entity that regularly extends, renews, or continues credit concerning a “covered account” to develop and implement an Identity Theft Prevention Program. The Rule does not set specific procedures, but the Program must identify how the entity will:
- Identify red flags;
- Detect red flags;
- Prevent and mitigate identity theft; and
- Update its Program.
As long as a healthcare provider begins with its current tools and available resources, it can develop a Program that complies with the Rule. In the implementation and administration, a healthcare provider must be mindful of certain issues, such as delegation of operations, and its board of directors and management must maintain periodic supervision. Although the task may seem daunting, a healthcare provider can successfully comply with the requirements of the new Red Flags Rule, if it takes the proper steps now.
This article was co-authored by Laura Gerdes Long & David Binder.
10/30/09 8:00 AM
Filed under Business Law, Employment Law, Health Care | Comment (0)
