Many health care providers have been unaware of the Red Flag Rules or have been uncertain of the applicability of these requirements. Under the Red Flag Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. Providers in general should be aware of the Red Flag Rules, should revisit their existing privacy and security compliance programs to ensure that the requirements of the Red Flag Rules have been addressed, and should take other actions to bring themselves into compliance with applicable requirements prior to the May 1, 2009 enforcement date.
Applicability to Health Care Providers
Under the Red Flag Rules, creditors that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect and respond to practices that could indicate identity theft. Although opinions differ, it is likely that health care providers—whether they are for-profit or nonprofit—are subject to the Red Flag Rules because they (1) are creditors, (2) are subject to enforcement by the FTC under the FCRA, and (3) have “covered accounts.”
(1) Creditors. First, the Red Flag Rules apply to creditors. A “creditor” is defined as any person or entity that regularly extends, renews, or continues credit. The term “credit” means the right granted by a creditor to a debtor to defer payment of debt or to purchase services and defer payment for such services. For health care providers, credit would result when, for instance, a health care provider grants a patient the right to defer payment for medical services rendered. Thus, a health care provider could be deemed a creditor because it “regularly extends, renews, or continues credit,” in the form of deferred payment for medical services, to patients and to others who utilize the health care provider’s services.
(2) Subject to FCRA enforcement. The second step is to determine whether a health care provider is a creditor that is subject to the administrative enforcement of the FCRA by the FTC. An FCRA violation is enforced as a violation of the FTC Act. Those subject to FCRA enforcement include any person, including a corporation, that violates the FCRA “irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests” of the FTC Act. Thus, most “for profit” and “non-profit” health care providers are subject to FTC enforcement under the FCRA and, likewise, may be subject to the Red Flag Rules.
(3) Covered accounts. Finally, the Red Flag Rules apply only to “covered accounts.” A covered account is defined broadly as (a) an “account … primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions”; or (b) “[a]ny other account … for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the … creditor from identity theft.” Health care providers’ patient accounts appear to qualify as covered accounts under both prongs of the definition: (1) patient accounts serve “personal” and/or “family” purposes because such accounts relate to medical services for individuals and/or family members and often involve or permit multiple payments or transactions; and (2) health care provider accounts, including patient financial accounts, present possibilities for identity theft.
Requirements of a Red Flag Program
The Red Flag Rules mandate that a covered entity’s program should detect, prevent and mitigate identity theft in connection with covered accounts and should include reasonable policies and procedures to accomplish the following:
· Identify red flags. To identify red flags, health care providers should consider the types of accounts offered and maintained, the methods used to open and provide access to such accounts, any previous experience with identity theft, and any suspicious activity related to patient accounts. Health care providers should pay particular attention to actual or reasonably likely instances of medical identity theft, which is a growing problem.
· Detect red flags. To detect red flags, a health care provider should have a process to authenticate patients, monitor transactions and verify the validity of change-of-address requests. Such a process might include requiring patients to produce identifying information to verify their identity at the inception of the account and when they present for service.
· Respond to red flags. To respond to red flags, covered entities must make “appropriate responses” that prevent and mitigate identity theft. For health care providers, appropriate responses might include responding to identity theft alerts from law enforcement or others, monitoring patients’ covered accounts, contacting patients when questions or concerns arise, changing passwords or security codes, refraining from collecting on an account or selling it to a debt collector, or notifying law enforcement as appropriate.
· Ensure the program is updated. Covered entities should ensure the program is updated to reflect changing risks to patients or the safety of the provider from identity theft and medical identity theft. Health care providers should update their program to adequately respond to alerts from law enforcement and others, changes in the methods of identity theft, changes in the methods to detect and prevent identity theft, and changes to the health care provider’s business infrastructure.
· Obtain board approval. The covered entity’s board of directors (or an appropriate board committee) must approve the identity theft prevention program and, thereafter, be involved directly, or through a designated senior management employee, in the oversight, development, implementation and administration of the program. Additionally, covered health care providers must assign specific responsibility for implementation, train staff, audit compliance, generate annual reports, and oversee anyone granted access to covered accounts.
Much like the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Red Flag Rules give covered health care providers some flexibility in implementing their identity theft programs, taking into account the size and complexity of a health care provider’s business. A program developed in compliance with the Red Flag Rules may be part of a provider’s HIPAA compliance efforts. There is certainly overlap between the requirements of HIPAA and the Red Flag Rules, and many of these actions may already have been included in an organization’s HIPAA compliance efforts.
© 2009 Parsonage Vandenack Williams LLC
For more information, contact firstname.lastname@example.org