Health Care Providers’ Deadline to Implement “Red Flag Rules” Identity Theft Programs Is November 1, 2008

Health care providers have until November 1, 2008, to implement programs to address the issue of identity theft, a growing problem that can have particularly disastrous results in the medical context.  This requirement is imposed by amendments — known as the “Red Flag Rules” — to the federal Fair and Accurate Credit Transactions Act.

In short, a Red Flag Rules program must be designed to identify, detect, and respond to “red flags,” namely those patterns, pratices, or specific activities that could indicate identity theft.

Many health care providers are not aware of the Red Flag Rules because the implementing regulations were jointly promulgated by the Federal Trade Commission (FTC) and various federal banking regulators rather than CMS or other agencies providers are likely to monitor. 

The Red Flag Rules apply to “creditors” that have “covered accounts.”  Although the definitions of these terms are complex, and are not crystal clear, the definitions themselves and FTC guidance indicate that health care providers would fall within the relevant definitions and therefore be subject to enforcement by the FTC under the Fair Credit Reporting Act.

The five basic required elements of a Red Flag Rules program are as follows:

1.)  Identify red flags (for example, by considering billing practices and any history of suspicious patient information activity)

2.)  Detect red flags (for example, by having authentication processes to verify patient identity, changes of address, etc.)

3.)  Respond to red flags (for example, by seeking verification or monitoring patient accounts when suspicious activity occurs, and involving law enforcement when warranted)

4.)  Update the program (for example, by responding to changes in methods of identity theft, incorporating new developments in identity theft prevention, and responding to alerts from law enforcement) 

5.)  Approval and Oversight (the program must have the initial approval of the entity’s board of directors or similar governing body, it must be overseen by an employee of at least senior management level status, it must include staff training, and it must include oversight of service provider arrangements)

The Red Flag Rules afford entities flexibility in designing programs appropriate to their size and complexity and the nature and scope of their operations.



© 2008 Parsonage Vandenack Williams LLC


For more information, contact

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s