Healthcare Chronicles: Are You Ready to Comply With the Red Flags Rule?
May 27, 2009
by Daniel Sternthal, J.D. and Diane T. Carter, J.D.
This report originally appeared in the May 2009 issue of DOTmed Business News
By August 1, 2009*, virtually all health care providers (including hospitals and physicians) throughout the United States will be required to comply with new privacy and security requirements to prevent identity theft. These new requirements are referred to as the Identity Theft Red Flags Rule (the "Rule") and it applies to any "Creditor" who maintains "Covered Accounts," as those terms are defined in the Rule.
Applicability of the Rule
The American Medical Association ("AMA") and other associations have recently corresponded with the FTC arguing, among other things, that the agency's interpretation that the Rule applies to physicians is overly broad. At the center of the debate is the definition of the term "Creditor" and whether health care providers fall under such a definition. The Rule defines the term "Creditor" as having the same meaning as in the FCRA, which was derived directly from the definition of "Creditor" in the Equal Credit Opportunity Act ("ECOA"). The ECOA defines the term to include, "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." The term "Credit" is defined in the ECOA as, "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payments therefor."
The FTC maintains that anyone who defers payment for services provided beyond the date of service is a Creditor and a health care provider that bills a patient after having provided medical services clearly fits that definition.
The second key definition of the Rule is "Covered Accounts." A "Covered Account" is defined as (i) an, "account that a ... creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and (ii) any other account that the ... creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."
Compliance Requirements
The Rule requires Creditors to develop and implement an Identity Theft Prevention Program ("Program") that identifies, detects, and responds to activities that could indicate identity theft. These Red Flag activities may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The second element is the development and implementation of policies and procedures designed to detect Red Flags. The third element of the Rule requires the Program have appropriate responses to prevent and mitigate the crime. The fourth element is the development and implementation of policies and procedures to reassess and update the Program periodically. A Creditor should review the Program to determine if the list of Red Flags included in need to be amended as a result of changing risks of identity theft. Finally, the Program must be managed by a Creditor's board of directors or senior employee, include appropriate staff training, and provide for oversight of any service providers with whom the Creditor contracts.
Conclusion
Although compliance with the Rule was technically mandatory as of November 1, 2008, the FTC has granted entities subject to its jurisdiction a six-month forbearance period (ending on May 1, 2009) before it will begin enforcement of the Rule. The FTC also recently announced that effective February 9, 2009, its civil monetary penalties for violations of the FCRA, including the Rule, have increased to $3,500 per violation.
Diane Carter is Board Certified in Health Care Law by the Texas Board of Legal Specialization. Ms. Carter has over 17 years of legal experience representing a variety of clients transacting business in the health care industry. Ms. Carter's representation of these clients includes advising on transactional, regulatory, and compliance matters.
Daniel Sternthal practices in the Health Care group at Brown McCarroll. He represents health care providers across the continuum of care. Representation of these clients includes advising on corporate, business, licensing and regulatory matters.
*Note: A previous version of this article indicated an enforcement date of May 1, 2009. That has been delayed three months.
This report originally appeared in the May 2009 issue of DOTmed Business News
By August 1, 2009*, virtually all health care providers (including hospitals and physicians) throughout the United States will be required to comply with new privacy and security requirements to prevent identity theft. These new requirements are referred to as the Identity Theft Red Flags Rule (the "Rule") and it applies to any "Creditor" who maintains "Covered Accounts," as those terms are defined in the Rule.
Applicability of the Rule
The American Medical Association ("AMA") and other associations have recently corresponded with the FTC arguing, among other things, that the agency's interpretation that the Rule applies to physicians is overly broad. At the center of the debate is the definition of the term "Creditor" and whether health care providers fall under such a definition. The Rule defines the term "Creditor" as having the same meaning as in the FCRA, which was derived directly from the definition of "Creditor" in the Equal Credit Opportunity Act ("ECOA"). The ECOA defines the term to include, "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." The term "Credit" is defined in the ECOA as, "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payments therefor."
The FTC maintains that anyone who defers payment for services provided beyond the date of service is a Creditor and a health care provider that bills a patient after having provided medical services clearly fits that definition.
The second key definition of the Rule is "Covered Accounts." A "Covered Account" is defined as (i) an, "account that a ... creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and (ii) any other account that the ... creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."
Compliance Requirements
The Rule requires Creditors to develop and implement an Identity Theft Prevention Program ("Program") that identifies, detects, and responds to activities that could indicate identity theft. These Red Flag activities may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The second element is the development and implementation of policies and procedures designed to detect Red Flags. The third element of the Rule requires the Program have appropriate responses to prevent and mitigate the crime. The fourth element is the development and implementation of policies and procedures to reassess and update the Program periodically. A Creditor should review the Program to determine if the list of Red Flags included in need to be amended as a result of changing risks of identity theft. Finally, the Program must be managed by a Creditor's board of directors or senior employee, include appropriate staff training, and provide for oversight of any service providers with whom the Creditor contracts.
Conclusion
Although compliance with the Rule was technically mandatory as of November 1, 2008, the FTC has granted entities subject to its jurisdiction a six-month forbearance period (ending on May 1, 2009) before it will begin enforcement of the Rule. The FTC also recently announced that effective February 9, 2009, its civil monetary penalties for violations of the FCRA, including the Rule, have increased to $3,500 per violation.
Diane Carter is Board Certified in Health Care Law by the Texas Board of Legal Specialization. Ms. Carter has over 17 years of legal experience representing a variety of clients transacting business in the health care industry. Ms. Carter's representation of these clients includes advising on transactional, regulatory, and compliance matters.
Daniel Sternthal practices in the Health Care group at Brown McCarroll. He represents health care providers across the continuum of care. Representation of these clients includes advising on corporate, business, licensing and regulatory matters.
*Note: A previous version of this article indicated an enforcement date of May 1, 2009. That has been delayed three months.