Health Care Providers May Be Subject to FTC Identity Theft “Red Flag” Program

October 2008Newsletters Staying Well Within the Law

Printer Friendly

From Staying Well Within the Law, a newsletter on the current legal issues facing today's health care industry.

The Fair and Accurate Credit Transaction (FACT) Act amended the Fair Credit Reporting Act (FCRA) by adding new sections dealing with guidelines for identity theft. These so-called "Red Flag Rules" were jointly adopted by the Federal Trade Commission (FTC) and five other federal agencies – the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the National Credit Union Administration.

Under the Red Flag Rules, "financial institutions" and "creditors" with "covered accounts" must, among other things, implement a written identity theft prevention program to detect, prevent and mitigate identity theft. The final rule was published November 9, 2007, and full compliance is required by November 1, 2008. Accordingly, any "financial institution" or "creditor" with a "covered account" under the Red Flag Rules must have a written identity theft prevention program in place and operating by November 1, and the program must identify, detect and respond to patterns, practices or specific activities that could indicate that a consumer has been the victim of identity theft.

Many health care providers are unaware of or uncertain whether the requirements of the Red Flag Rules apply to them. Currently, there are ongoing discussions with the FTC to clarify whether health care providers must comply with the Red Flag Rules. In general, and until a final and clear determination has been made, health care providers should: (1) be aware of the Red Flag Rules; (2) revisit their existing privacy and security compliance programs; and (3) take any further actions necessary for compliance with the Red Flag Rules.

Although it is still not entirely clear, it is possible that health care providers will be deemed "creditors" with "covered accounts" within the Red Flag Rules. A "creditor" is: (1) any person who regularly extends, renews or continues credit; (2) any person who regularly arranges for the extension, renewal or continuation of credit; or (3) any assignee of an original creditor who participates in the decision to extend, renew or continue credit. This broad definition essentially includes anyone who bills after providing services or allows patients to defer payment. A health care provider could be deemed a creditor simply because he or she allows a patient to defer payment for medical services rendered. One issue that has been brought into question is whether there should be a distinction between a health care provider who agrees before the service is rendered to allow payment over time (i.e., a plastic surgeon for cosmetic surgery or an ophthalmologist for Lasik eye surgery) and a health care provider who simply agrees to a payment plan after the service is rendered as a means of collecting the debt.

A "covered account" is: (1) an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; or (2) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft. Patient’s health care accounts almost always serve personal and/or family purposes because they relate to medical services provided to individuals and/or family members and such accounts also often involve multiple payments or transactions. Moreover, health care accounts, including patient financial accounts, often present risks for identity theft.

Elements of Identity Theft Program

Under the Red Flag Rules, an identity theft program must include reasonable policies and procedures to: (1) identify relevant red flags and incorporate those red flags into the program; (2) detect red flags that have been incorporated into the program; (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and (4) ensure the program is updated periodically to reflect changes in the risks of identity theft

Identifying Relevant Red Flags

To identify red flags, a health care provider should consider: (1) the types of covered accounts it offers or maintains; (2) the methods it uses to open or provide access to its covered accounts; (3) its previous experience with identity theft; and (4) any suspicious activity related to its covered accounts.

Some examples of red flags include:

  • alerts, notification or other warnings received from consumer reporting agencies or other service providers
  • the presentation of suspicious documents (i.e., altered documents, photo ID or a physical description that does not match the person)
  • the presentation of suspicious personal identifying information (i.e., inconsistent or mismatched addresses or social security numbers)
  • the unusual use of, or other suspicious activity related to, a covered account (i.e., current use not consistent with historical use)
  • notice from patients, victims of identity theft or law enforcement authorities regarding possible identity theft in connection with covered accounts held by the creditor

Detecting Red Flags

Health care providers should have a process to: (1) authenticate and verify patient identity; (2) monitor transactions; and (3) verify the validity of any change of address requests. An example of such a process might include requiring patients to produce identifying information to verify their identity upon the opening of a covered account and each time that they present for services.

Responding to Red Flags

Health care providers must also make appropriate responses to prevent and mitigate identity theft. Examples of ways to respond to red flags include:

  • monitoring patient account activity for evidence of identity theft
  • contacting patients when questions or concerns arise
  • changing passwords, security codes or other security devices that permit access to a patient account
  • closing and reopening a suspicious account with a new account number
  • refusing to open a new account
  • refusing to collect on or sell an existing account
  • notifying law enforcement as appropriate

Updating Red Flags

Health care providers should ensure that their program is updated periodically to reflect changes in risks of identity theft to its patients. Health care providers should update their program to adequately respond to various situations, including:

  • alerts from law enforcement
  • changes in methods of identity theft
  • changes in methods to detect, prevent and mitigate identity theft
  • changes in the types of accounts offered or maintained
  • changes in the health care provider’s business infrastructure, including mergers, acquisitions, alliances, joint ventures and service provider arrangements

Administration of Program

Under the Red Flag Rules, a health care provider must: (1) obtain approval of the initial program by the board of directors, a committee thereof or a senior management employee; (2) ensure oversight of the program; (3) train appropriate staff; and (4) oversee service provider arrangements (i.e., ensure that any third-party service provider’s activities are complaint with the Red Flag Rules).

Thereafter, the board of directors, a committee thereof or a senior management employee must: (1) assign specific responsibility for the program’s implementation; (2) review reports prepared by staff regarding the health care provider’s compliance with the Red Flag Rules; (3) approve material changes in the program as necessary to address changing identity theft risks; and (4) stay involved, either directly or through a senior management employee, in the oversight, development, implementation and administration of the program.

The Red Flag Rules give health care providers some flexibility in implementing the identity theft program and take into account the size and complexity of the health care provider’s business. For example, a health care provider’s identity theft program can be part of its Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance plan. There is a definite overlap between requirements of Red Flag Rules and HIPAA, and many actions required under the Red Flag Rules already may have been included in the health care provider’s HIPAA plan.


There is no private cause of action under the Red Flag Rules, and so, compliance will be enforced by state attorney generals. Health care providers that make reasonable and good faith efforts, but have failed to complete all required tasks, may receive some leniency, while providers that make minimal or no progress likely will face additional scrutiny. Failure to comply with Red Flag Rules could result in civil penalties (fines, punitive damages, attorney’s fees) under FCRA. However, there are no criminal penalties associated with the Red Flag Rules.

Please let us know if you have any questions or if you would like us to assist you in creating or administering such a program.