|
How to Comply with the Federal Trade
Commission’s New “Red Flags Rule”
Elizabeth E. Hogue, Esq.
Office: 877-871-4062
Fax: 877-871-9739
E-mail:
ElizabethHogue@ElizabethHogue.net
On May 1, 2009, the
Federal Trade Commission will begin enforcing its new Red Flags
Rule. This Rule was created to ensure that certain types of
organizations are doing everything in their power to identify,
prevent, and reduce incidences of identity theft. The Rule is
based on the perception that health care providers may have many
opportunities in their day-to-day operations to discover the
“red flags” of identity theft. Some health care providers,
therefore, may be subject to this Rule, which requires that
businesses develop identity theft Programs tailored to the
characteristics and needs of their organizations.
Your organization is
required to comply with the Red Flags Rule only if
both of the following requirements are met:
1.
Your organization is a “creditor,” as defined by the
Rule.
Health care providers are creditors if
they accept deferred payments, i.e. bill their patients after
services are rendered. Providers that accept insurance are also
defined as creditors, if the patient is ultimately responsible
for his or her medical fees. Private duty providers, for
example, who do not always require payment for services in
advance, are likely subject to be subject to the Rule.
2.
You have “covered accounts.”
The FTC defines an “account” as “a
continuing relationship established by a person with a…creditor
to obtain a product or service for personal, family, household
or business purposes.” The two types of covered accounts are:
a.
“An account…that involves or is designed to permit
multiple payments or transactions…” (This applies to ongoing
relationships with patients for the provision of medical
services.)
b.
“Any other account for which there is a reasonably
foreseeable risk to customers or the safety and soundness of
the…creditor from identity theft.”
Just remember: if
your organization is a creditor, but has no covered accounts,
then you are not required to develop an identity theft program.
Only creditors who also have covered accounts must develop a
program.
Basically, your
program must have four objectives:
-
Identification of Relevant Red Flags
The FTC lists the following categories of
Red Flags that your program must identify and attempt to
prevent:
- Alerts,
notifications, or other warnings received from consumer
reporting agencies or services providers, such as fraud
detection services
- The
presentation of suspicious documents
- The
presentation of suspicious personal identifying
information, such as a suspicious address change
- The unusual
use of, or other suspicious activity related to, a
covered account; an
- Notice from
customers, victims of identity theft, law enforcement
authorities, or other persons regarding possible
identity theft in connection with covered accounts held
by the financial institution or creditor.
Determine which warning signs are relevant
to your organization. Health care providers are especially
vulnerable to medical identity theft, so be sure to distinguish
its Red Flags.
- Detection of
Red Flags
Policies and procedures should be put in
place that will help staff to recognize incidences of identity
theft. Red Flags may appear, for example, when confirming a
patient’s identity, verifying insurance information, or
reviewing medical records. Staff training schedules and
procedures for monitoring the work of your service providers
should be included in the program, as appropriate.
- Prevention
and Mitigation of Identity Theft
Indicate in your program how you will
respond to certain Red Flags. According to the FTC, appropriate
responses may include the following:
- Monitoring a
covered account for evidence of identity theft
- Contacting
patients
- Changing any
passwords, security codes, or other security devices
that permit access to a covered account
- Reopening a
covered account with a new account number
- Closing an
existing covered account
- Notifying
law enforcement; o
- Determining
that no response is warranted under the particular
circumstances.
- Periodic
Modification of the Program
You must update your program periodically
in order to reflect changes in identity theft risks and new
methods for Red Flag detection, prevention, and mitigation.
In order to ensure
continued success of your identity theft program, the Rule
requires that the program be administered by your Board of
Directors, an appropriate committee of the Board, or a
designated senior-level management employee. The FTC states
that oversight of the plan should include:
- Assigning
specific responsibility for the Program’s implementation;
- Reviewing
reports prepared by staff regarding compliance by
the…creditor; and
- Approving
material changes to the Program as necessary to address
changing identity theft risks.
Health care providers
who choose to violate the Red Flags Rule may be subject to civil
monetary penalties. In order to help you avoid these penalties
and meet the requirements above, the FTC has created Guidelines
for developing an identity theft program. These Guidelines can
be found on pages 63773 and 63774 of the Red Flags Rule, which
is available online at:
http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.
There is always
something new in the healthcare industry! The Red Flags rule is
just the latest regulatory hurdle for providers.
References
George, T., & Singh,
P. (September 2008). The “Red Flags” Rule: What health care
providers need to know about complying with the new requirements
for fighting
identity theft. From
http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.
Identity theft red
flags and address discrepancies under the fair and accurate
transactions act of 2003. Federal Register, 72(217),
63718-63775.
©Copyright, 2009.
Elizabeth E. Hogue, Esq.
All rights reserved.
No portion of this material may be reproduced in any form
without the advance written permission of the author.
|