The Federal Trade Commission (“FTC”) issued regulations on November 9, 2007, to help fight identity theft, known as the Red Flag Rules, which apply to financial institutions and creditors. Since the Red Flag Rules were issued, there has been a lot of discussion around the application of the Red Flag Rules to physician offices.
Who qualifies for the Red Flag Rules?
The Red Flag Rules define a creditor as any entity that regularly extends, renews, or continues credit. In most physician offices, the physician bills insurance on behalf of the patient and then bills the patient for the balance. As it stands today, the FTC has interpreted this as an extension of credit. Specifically, the FTC has taken the position that the Red Flag Rules apply to physicians who do not require full payment up front at the time they see patients, which has caused great debate in the industry.
What is required under the Red Flag Rules?
The Red Flag Rules require that a creditor develop and implement a written Identity Theft Prevention Program (“Program”) to detect, prevent and mitigate identity theft in connection with certain accounts. The goal of the Program is to identify patterns and practices (“Red Flags”) that indicate a potential risk of identity theft.
The Red Flag Rules list the four basic elements that must be included in the Program. The Program must contain "reasonable policies and procedures" to:
- Identify relevant Red Flags for covered accounts and incorporate those into the Program;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes to risks to customers or to the safety and soundness of the creditor from identity theft.
When do the Red Flag Rules take effect?
The original date for compliance was November 1, 2008, but the FTC extended the deadline to May 1, 2009.
What are examples of Red Flag Rules?
- Suspicious documents
- Suspicious presentation of personal information such as change of address
- Notices received from government, regulatory and other relevant agencies regarding inappropriate activity
- Increases in activity
- A material change in credit
- Inconsistent information
- Documents that appear to be forged
- Person not supplying all required information
What are examples of how Red Flags are detected?
- Obtaining and verifying information when a person opens an account
- Authenticating customer information
- Verifying change of address information
- Monitoring information
- A material change in credit
- Photo Identification
What are examples of preventing and mitigating identity theft?
- Checking for unauthorized access to customer accounts
- Changing passwords
- Contacting customer when an issue is detected
- Using new account number
- Notify law enforcement of issues detected
- Determine circumstances where no action is warranted
What are examples of periodically updating the program?
- Adding or changing methods of identifying identity theft
- Changing policies to reflect increased risk
What is the American Medical Association’s (“AMA”) standing on the Red Flag Rules?
The AMA and other healthcare organizations have taken the position that physicians should not be subject to the Red Flag Rules. To date, it does not appear that the AMA’s position has impacted or changed the current pending enforcement date.
What should I do next?
It is very important that you review the detailed Red Flag Rules to determine the impact to your individual organization. It is always recommended that you consult your own legal counsel to determine how this impacts your organization. This article is intended for informational purposes only and should not be interpreted as a legal opinion or legal advice.
Where can I find more information?
Federal Register - edocket.access.gpo.gov/2007/pdf/07-5453.pdf
AMA Letter - www.ama-assn.org/ama1/pub/upload/mm/31/ftc_letter20080930.pdf
FTC’s website - www.ftc.gov
