FTC's New Red Flags Rules: Are They the Right Cure at the Right Time?

Identity theft is a serious problem that causes its victims financial loss, inconvenience and mental suffering. Despite a wide range of different efforts to clamp down on identity theft, it continues to grow. A recent Federal Trade Commission report revealed that in 2008, the number of identity theft complaints exceeded 1.2 million, the highest number on record for any year since such complaints were tracked.

Medical identity theft, while far less prevalent than financial identity theft, is a major concern for consumers. It is thus not very surprising that legislators, consumer protection agencies and advocates continue to seek new ways to prevent identity theft of all kinds and mitigate the effects of identity theft when it does occur.

One of the most recent efforts to combat identity theft is FTC's Red Flags Rules, a result of the Fair and Accurate Credit Transactions Act of 2003. Among other requirements, FACTA required FTC to enact rules to require financial institutions and "creditors" to develop programs to assist the government in detecting, preventing and mitigating "red flags" of identity theft.

The rules were originally to take effect on Nov. 1, 2008, but were delayed several times -- first to May 1, 2009, then to Aug. 1, 2009, and then to Nov. 1, 2009. Most recently, FTC delayed the enforcement of the rules a fourth time, and they are now set to be enforced beginning on June 1, 2010.

Accordingly, with the latest implementation date looming, physicians are well advised to determine whether they are in compliance with the rules. For those who are subject to the rules, a failure to comply may result in civil monetary penalties and also could lead to less tangible losses, such as negative publicity and the loss of good will.

When Are Physicians Covered by the Rules?

Not all physicians will be subject to the rules. The duty to comply will hinge on whether a physician's activities fall within the law's definition of two key terms: "creditor" and "covered account." Physicians will be subject to the rules if they satisfy a two-part test.

First, the provider must be a creditor. Under the broad definition of creditor, a physician who renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient will be a creditor. The same holds true for a physician who renders medical services to a patient and accepts the patient's co-payment.

Under the second part of the test, a physician must offer or maintain covered accounts for patients to be subject to the rules. According to the rules, a covered account is one that a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions. Any other account the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft also falls under the definition. A physician, who is a creditor, must have a continuing relationship with the patient before the patient's account is considered a covered account.

What Do the Rules Require?

Physicians who are covered under the rules are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft. FTC defines a "red flag" as a "pattern, practice, or specific activity that indicates the possible existence of identity theft."

At a minimum, the rules require the program to provide policies and procedures to:

•Identify red flags: A physician who is subject to the rules must implement a program to identify patterns, practices or specific activities that indicate the possible risk of identity theft. These items are known as "red flags." There is no "one size fits all" approach to identifying red flags. Covered physicians, as well as all others who are covered by the rules, must identify those red flags that are relevant to their particular practice or business.

•Detect red flags: Physicians covered by the rules must also establish and implement policies and procedures to detect those red flags in their day-to-day operations. Red flags may be identified in a number of different areas of practice. For example, a physician may identify a red flag when verifying a patient's identity, monitoring certain transactions and/or processing changes of address.

•Respond to red flags: The compliance program must, commensurate with the degree of risk posed, address the risk of identity theft to the individual patient and the financial institution or physician. The regulation provides an illustrative list of appropriate measures that may be used to respond to red flags.

•Updating the program: The physician should periodically update its program based on experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in accounts offered and maintained, and changes in business arrangements.  ihealthbeat