The New “Red Flags” Rule for Healthcare Providers

Laura Gerdes Long

Laura Gerdes Long

NOTE: After numerous postponements of implementation of the FTC Red Flags Rule, President Obama signed the Red Flags Program Clarification Act of 2010 (“Act”) on December 18, 2010, which was effective January 1, 2011. This Act limits the scope of the Red Flags Rule by narrowing the definition of a “creditor”, which the Federal Trade Commission had previously broadly interpreted to include all health care providers, among other service professionals.

The Act amends the definition of a creditor to mean any creditor that (i) in the ordinary course of business obtains or uses credit reports in connection with a credit transaction, (ii) furnishes information to a credit reporting agency in connection with a credit transaction, or (iii) advances funds to a person on the obligation of repayment. Under this new definition, typically physicians and attorneys will not be considered creditors for purposes of the Red Flags Rule.

Certain healthcare providers, however, that use or obtain consumer reports routinely in connection with credit transactions or that furnish information to consumer reporting agencies may still meet the definition and thus be subject to the Red Flags Rule. This potentially means that hospitals or physician groups that routinely submit information about non-paying patients to collection agencies, which in turn submit such information to credit reporting agencies, will need to be in compliance with the Red Flags Rule.

In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent identity theft. Therefore, whether or not a health care provider is directly affected by the Red Flags Rule by falling within the definition of creditor, providers should still be encouraged to implement an Identity Theft Prevention Program to detect warning signs, or “red flags”, that could indicate identity theft.

Identity theft is rampant in today’s society. As many as ten million individuals per year become victims of identity theft and the number of medical identity theft cases are on the rise. In response to this growing problem, several federal agencies jointly promulgated regulations that require certain entities to implement a plan to detect, prevent, and correct identity theft. The “Red Flags Rule” applies to various types of entities, including most healthcare providers. Thus, entities ranging from a small doctor’s office to a hospital must be in compliance with the new Red Flags Rule by the date on which the Federal Trade Commission (“FTC”) will begin enforcing the Rule.   After that date, an entity may be penalized up to $3,500 per violation. Thus, healthcare providers need to take steps to comply, including creating an Identity Theft Prevention Program.

Before understanding the Rule, a healthcare provider must determine whether it is subject to the Rule in the first place. Under the Red Flags Rule, any “creditor” that offers or maintains one or more “covered accounts” is required to develop and implement a written Identity Theft Prevention Program. A “creditor” is defined as any person who regularly extends, renews, or continues credit. Healthcare providers will be considered a “creditor” if they regularly bill patients after the completion of services, allow payment plans after services have been rendered, or aid patients in obtaining credit from other sources (see note).

Under the Rule, a “covered account” is defined as (1) an account a creditor offers or maintains that involves or is designed to permit multiple payments or transactions, and (2) any other account the creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft. The second portion of the definition is very broad and may include records that an entity may not recognize as a “covered account.” For healthcare providers, this definition of “covered account” generally encompasses patient and employee records. Thus, the vast majority of healthcare providers are subject to the Red Flags Rule and must comply.

Development of Identity Theft Prevention Program

With proper guidance, a healthcare provider can establish an Identity Theft Prevention Program that will comply with the Red Flags Rule. The Red Flags Rule does not require any specific practices or procedures, because it provides flexibility to tailor a Program to the nature of the business and the risks its faces. In other words, the Program is scalable to the size and complexity of the entity and the nature and scope of its activities. In the case of a company at high risk for identity theft, such as a large hospital system, the Program may need more robust procedures, including strict verification procedures for each and every patient’s identity. However, such extensive procedures would be inappropriate for a low-risk company, such as a solo practitioner, who can identify and verify each patient. Thus, there are no set procedures for a Program, but it is a discretionary decision that should be made by someone knowledgeable about the business and its day-to-day operations.

Although the Red Flags Rule does not establish specific procedures, it does require that any Program include “reasonable” policies and procedures to:

  • Identify relevant patterns, practices, and specific kinds of activity that may be “red flags” signaling possible identity theft;
  • Detect red flags;
  • Respond to those detected red flags to prevent and mitigate identity theft; and 
  • Update the Program periodically to reflect changes in identity theft risks.

For red flag identification, a healthcare provider should review its own experiences with identity theft and incorporate that knowledge into the Program. Red flags should include concerns raised by patients — both internally and externally. Some examples of such red flags could be suspicious account activity, inconsistent personally identifying information, inconsistent medical histories, and possibly altered identification documents. For red flag detection, a healthcare provider should state what procedures will be in place in the day-to-day operations to detect red flags, which may include procedures to authenticate a new patient and verify the validity of any changed information. For prevention and mitigation of identity theft, a healthcare provider should take necessary steps such as notifying the real patient or law enforcement, monitoring an account and correcting the medical record. Lastly, a healthcare provider must periodically review and reflect on its experience with identity theft and update its Program to verify the effectiveness of the Program.

Even if the Red Flags Rule does not apply to your practice, it may still be advisable to develop an Identity Theft Prevention Program. In the event of a medical identity theft, the federal government and health insurance companies may require a healthcare provider to pay reimbursement for claims made. Furthermore, if a healthcare provider files a claim and later learns that medical identity theft has occurred without taking corrective measures, the provider may be subject to criminal and civil penalties based upon fraud. Importantly, medical identity theft also puts the life of the victim at risk, which plainly could lead to potential civil liability for a healthcare provider. False entries in a medical history can lead to improper medical treatment, denial or exhaustion of health insurance, or an individual’s uninsurability for life or health insurance. An Identity Theft Prevention Programis an important tool for a healthcare provider to minimize its liability and risks, and risks to its patients, even if it is not subject to the new Red Flags Rule.

The task of developing an Identity Theft Prevention Programmay seem daunting, but a provider should not feel overwhelmed. A successful Program for a healthcare provider will build on existing efforts already in use to combat fraud and protect patient privacy. A healthcare provider should review and adapt its current tools used to comply with HIPAA and state privacy, security, and breach notification laws to satisfy the new Red Flags Rule. Thus, with its current tools and available resources, a healthcare provider is already on the way to developing a compliant Identity Theft Prevention Program.

Implementation and Administration

Healthcare providers must be mindful of key issues regarding the implementation and administration of an Identity Theft Prevention Program. Staff training and delegation of duties may generate issues for a healthcare provider attempting to implement and administer such a Program. Internal staff must be trained as necessary. If a healthcare provider outsources or subcontracts portions of its operations that would be covered by the Red Flags Rule, then the Program must address how the provider will monitor the contractor’s compliance. Furthermore, periodic supervision and review after any incident of identity theft will be invaluable to the proper functioning of a Program.

Management and the board of directors of a healthcare provider are required by the Red Flags Rule to play a central role in the creation, implementation and continued administration of the Program. According to the regulations, either the board of directors, or an appropriate committee thereof, must approve the initial written Program. Other responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the practice is complying with the Rule, and approving important changes to the Program. The board of directors should also receive at least annual reports regarding the administration of the Program. Thus, it is critical that a board of directors or management remain active in the administration of the Program to ensure compliance with the Rule. Mere creation of a Program will not shield a healthcare provider from civil fines under the Red Flags Rule.


When the FTC begins enforcing the Red Flags Rule, it will require any entity that regularly extends, renews, or continues credit concerning a “covered account” to develop and implement an Identity Theft Prevention Program. The Rule does not set specific procedures, but the Program must identify how the entity will:

  • Identify red flags; 
  • Detect red flags; 
  • Prevent and mitigate identity theft; and 
  • Update its Program.

As long as a healthcare provider begins with its current tools and available resources, it can develop a Program that complies with the Rule. In the implementation and administration, a healthcare provider must be mindful of certain issues, such as delegation of operations, and its board of directors and management must maintain periodic supervision. Although the task may seem daunting, a healthcare provider can successfully comply with the requirements of the new Red Flags Rule, if it takes the proper steps now.

This article was co-authored by Laura Gerdes Long & David Binder.

Note updated 1/24/2011.

Comments are closed.