New Identity Theft Prevention Requirements for Health Care Providers

New identity theft prevention regulations issued by the Federal Trade Commission ("FTC") will affect virtually all health care providers. These rules, known as the "Red Flag" rules, require the adoption by May 1, 2009 of aggressive policies to detect, prevent, and respond to identity theft.

Entities Subject To The Red Flag Rules

Under the Red Flag rules, all "creditors" who maintain "covered accounts" must develop a written, comprehensive Identity Theft Protection Program ("Program") that is designed to detect suspected identity theft. 

The term "creditor" is very broad and includes anyone who "regularly extends, renews, or continues credit." The FTC has stated that health care providers that bill clients, customers, or patients for services after the providers have rendered the services qualify as creditors. This is a broad definition and includes physicians who submit a claim to an insurance carrier before billing any remaining unpaid amounts to a patient.

"Covered accounts" includes consumer-type accounts or other accounts for which there is a reasonable risk of identity theft. Examples of covered accounts include: 1) patient accounts and billing records, 2) pharmacy records, and 3) business-business accounts that may be at risk for identity theft.

Red Flag Requirements

As part of their Red Flag Program, health care providers must identify and evaluate patterns, practices, or activities that indicate the possible existence of identity theft. These "red flags" include any identity theft risks known to the health care provider based on its past experiences, fraud alerts on a patient's credit report, suspicious documents or personal identifying information, unusual account activity, notices from patients or law enforcement regarding the account, mail sent to a patient that is returned repeatedly as undeliverable even though transactions continue to be conducted with the patient's account, and records showing medical treatment that is inconsistent with the medical history reported by the patient.

The Program must contain procedures not only to detect Red Flag incidents, but also to respond to the incidents when they occur. Providers must update the Program periodically to reflect changes in risk or methods of identity theft.  Additionally, providers must conduct regular risk assessments to identify accounts that are subject to the Red Flag rules.

Relation to HIPAA Security Requirements

Health care providers that comply with HIPAA as "covered entities" may already be in partial compliance with the Red Flag rules because they likely have policies in place to safeguard protected health information. However, to be in full compliance with the Red Flag rules, providers also must implement policies to detect security breaches and prevent the misuse of protected health information if it is stolen. 

In other words, while HIPAA focuses primarily on the security of data, the Red Flag Rules focus on discovering security breaches and mitigating the damage that breaches cause to patients.

Next Steps

All health care providers that allow patients to defer payment must implement policies to detect, prevent, and mitigate identity theft. The FTC has designed the rules to be flexible and individual provides can tailor their policies to the size and complexity of their practice and to the degree of identity theft risk that they face. 

For example, providers in a low risk environment, with a small, known patient base need only implement a limited Program that includes: 1) checking a photo identification at the time services are sought, 2) having procedures to respond when notified that a patient's identity has been misused, 3) not collecting debt from the true consumer, and 4) not reporting the true consumer to credit reporting agencies.

Hospitals and larger provider groups that see a high volume of patients will need more extensive policies to ensure the security of information.

Any Red Flag policies of a health care provider must be developed, approved, implemented, and supervised by Board or other the governing body. This duty includes training employees and exercising appropriate and effective oversight of relevant service provider arrangements.

Penalties

Under the Fair and Accurate Credit Transactions Act, the FTC may penalize organizations up to $2,500 for knowing violations of the Red Flag Rules.  Additionally, consumers who are harmed by identity theft may recover up to $1,000 per violation, as well as attorneys' fees and punitive damages, from non-compliant organizations.