FTC Indicates New Identity Theft Rules Apply to Health Care Providers; Delays Enforcement to Give Entities Time to Comply
On January 1, 2008, the Federal Trade Commission and five other governmental agencies jointly issued the Identity Theft Red Flags and Address Discrepancy Rules (the “rules”). Under the rules, financial institutions and creditors that maintain certain kinds of “covered accounts” must develop and implement a written program to detect and respond to possible incidents of identity theft.
Concerned that many entities are not aware that they must comply with the rules, the FTC announced late Wednesday, October 22, 2008, that it will delay enforcement of the Red Flags portion of the rules for six months to give the entities under its jurisdiction more time to comply. The original November 1, 2008 deadline for compliance has been moved back to May 1, 2009.
Health Care Providers May Be “Creditors” Under the Rules
Although the regulations appear to focus primarily on the financial sector, they actually affect a much broader group of businesses and organizations. Within the last several weeks, FTC staff attorneys have told several different groups – including the American Dental Association, the American Hospital Association and the American Bar Association – that physicians, hospitals, and other health care providers are “creditors” under the Red Flag Rules if they do not require full payment at the time their services are rendered.
In a newly-issued Enforcement Policy Statement, the FTC noted that “any person that provides a product or service for which the consumer pays after delivery is a creditor” under the rules. Under this approach, creditors would include hospitals that provide care and then send bills to their patients and doctors who perform procedures on patients and are later paid by the patients’ insurance companies.
Creditors With “Covered Accounts” Must Implement a Red Flags Program
If an organization qualifies as a “creditor,” it must determine whether it maintains “covered accounts” for its customers and/or patients. Under the rules, a covered account is “designed to permit multiple payments or transactions.”
The key, according to the FTC, is whether the account is designed to permit an ongoing relationship with the customer. For example, if a hospital requires a patient to provide full medical and billing information before his first visit, but does not make him resubmit all of the same information on subsequent visits, his account probably qualifies as a “covered account.” By contrast, if a patient must submit all of her information each and every time she obtains service from the organization (as if she was a first-time customer), and a new account is opened for each transaction, her account likely does not fall under the rules.
Any creditor that maintains “covered accounts” must implement a Red Flags Compliance Program before May 1, 2009.
FTC Delays Enforcement to Give Entities More Time to Implement a Program
On October 22, 2008, the FTC announced that it would suspend enforcement of the Red Flags Rules for six months.
“Given the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule … would be neither equitable for the covered entities nor beneficial to the public,” the FTC stated in its announcement. “Delaying Commission enforcement … will allow these entities to take the appropriate care and consideration in developing and implementing their programs.”
The suspension only applies to entities that fall under the jurisdiction of the FTC which, for the purposes of the Red Flags rules, includes health care providers. Entities that are regulated by the other agencies charged with enforcing the rules should not assume they have a similar six-month reprieve.
The following are answers to some frequently asked questions about the Red Flags Rules:
Q: I think my organization qualifies as a creditor with “covered accounts.” What should I do?
A: If you think your organization may fall under the rules, it is recommended that you implement a Red Flags Compliance Program. Why? Non-compliance with the rules can result in penalties from the FTC of up to $2,500 per individual violation. More importantly, though, a Red Flags Compliance Program is an excellent “best practice” that helps protect your patients and clients from the growing threat of identity theft.
The FTC has extended the deadline for compliance, so there is time to develop a program that works for your organization while satisfying the rule.
Q: How do I develop a Red Flags Compliance Program?
A: A Red Flags Compliance Program is comprised of (i) a set of written policies and (ii) a set of procedures designed to detect and respond to certain Red Flags. A Red Flag is a pattern, practice or suspicious activity that may indicate that identity theft is taking place. In developing a program, each organization should compile a list of Red Flags that relate to its business operations, develop procedures for detecting those Red Flags and outline a process for appropriately responding when a Red Flag is detected.
The rules are relatively flexible and allow each organization to tailor its program to reflect the size, scope and sophistication of its operations. If your business operations are relatively simple, your Red Flags Compliance Program may similarly be simple.
Once an organization develops a program, it must be approved by the organization’s board of directors (or senior staff member(s), if the organization does not have a board). The rules also require each organization to periodically review its existing program and update it as necessary.
Q: Where can I get more information?
A: Holland & Knight lawyers can provide guidance on the Red Flags Rules and assist you with all issues pertaining to the requirements of a compliance program, or help you to develop a program. The firm will hold a Web-based seminar to discuss the rules and to provide information about creating a Red Flags Compliance Program. Details will be forthcoming.