Health care providers have until November 1, 2008, to implement programs to address the issue of identity theft, a growing problem that can have particularly disastrous results in the medical context. This requirement is imposed by amendments — known as the “Red Flag Rules” — to the federal Fair and Accurate Credit Transactions Act.
In short, a Red Flag Rules program must be designed to identify, detect, and respond to “red flags,” namely those patterns, pratices, or specific activities that could indicate identity theft.
Many health care providers are not aware of the Red Flag Rules because the implementing regulations were jointly promulgated by the Federal Trade Commission (FTC) and various federal banking regulators rather than CMS or other agencies providers are likely to monitor.
The Red Flag Rules apply to “creditors” that have “covered accounts.” Although the definitions of these terms are complex, and are not crystal clear, the definitions themselves and FTC guidance indicate that health care providers would fall within the relevant definitions and therefore be subject to enforcement by the FTC under the Fair Credit Reporting Act.
The five basic required elements of a Red Flag Rules program are as follows:
1.) Identify red flags (for example, by considering billing practices and any history of suspicious patient information activity)
2.) Detect red flags (for example, by having authentication processes to verify patient identity, changes of address, etc.)
3.) Respond to red flags (for example, by seeking verification or monitoring patient accounts when suspicious activity occurs, and involving law enforcement when warranted)
4.) Update the program (for example, by responding to changes in methods of identity theft, incorporating new developments in identity theft prevention, and responding to alerts from law enforcement)
5.) Approval and Oversight (the program must have the initial approval of the entity’s board of directors or similar governing body, it must be overseen by an employee of at least senior management level status, it must include staff training, and it must include oversight of service provider arrangements)
The Red Flag Rules afford entities flexibility in designing programs appropriate to their size and complexity and the nature and scope of their operations.