FTC’s New Red Flags Rule: The Right Cure at the Right Time?
Identity theft is a serious problem that causes its victims financial loss, inconvenience and mental suffering. Despite a wide range of efforts to clamp down on identity theft, it continues to grow. A recent Federal Trade Commission (FTC) report revealed that in 2008, the number of identity theft complaints exceeded 1.2 million, the highest yearly number since complaints began being tracked.
Medical identity theft, while far less prevalent than financial identity theft, is a major concern for consumers. As such, it is not surprising that legislators, consumer protection agencies and advocates continue to seek new ways to prevent identity theft of all kinds and mitigate the effects of identity theft when it does occur.
One of the most recent efforts to combat identity theft is the FTC’s Red Flags Rule, a result of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Among other requirements, FACTA required the FTC to enact rules to require financial institutions and “creditors” to develop programs to assist the government in detecting, preventing and mitigating “red flags” of identity theft.
The rules were originally to take effect on Nov. 1, 2008, but were delayed several times — first to May 1, 2009, then to Aug. 1, and later to Nov. 1, of last year. Most recently, FTC delayed the enforcement of the rules a fourth time, and they are now set to be enforced beginning on June 1.
With the latest implementation date looming, physicians are well advised to determine whether they are in compliance with the rules. For those who are subject to the rules, a failure to comply may result in civil monetary penalties and also could lead to less tangible losses, such as negative publicity and the loss of good will.
When Are Physicians Covered by the Rules?
Not all physicians will be subject to the rules. The duty to comply will hinge on whether a physician’s activities fall within the law’s definition of two key terms: “creditor” and “covered account.” Physicians will be subject to the rules if they satisfy a two-part test.
First, the provider must be a creditor. Under the broad definition of creditor, a physician who renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient will be a creditor. The same holds true for a physician who renders medical services to a patient and accepts the patient’s co-payment.
Under the second part of the test, a physician must offer or maintain covered accounts for patients to be subject to the rules. According to the rules, a covered account is one that a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions. Any other account the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft also falls under the definition. A physician, who is a creditor, must have a continuing relationship with the patient before the patient’s account is considered a covered account.
What Do the Rules Require?
Physicians who are covered under the rules are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft. FTC defines a “red flag” as a “pattern, practice, or specific activity that indicates the possible existence of identity theft.”
At a minimum, the rules require the program to provide policies and procedures to:
- Identify red flags: A physician who is subject to the rules must implement a program to identify patterns, practices or specific activities that indicate the possible risk of identity theft. These items are known as “red flags.” There is no “one size fits all” approach to identifying red flags. Covered physicians, as well as all others who are covered by the rules, must identify those red flags that are relevant to their particular practice or business.
- Detect red flags: Physicians covered by the rules must also establish and implement policies and procedures to detect those red flags in their day-to-day operations. Red flags may be identified in a number of different areas of practice. For example, a physician may identify a red flag when verifying a patient’s identity, monitoring certain transactions and/or processing changes of address.
- Respond to red flags: The compliance program must, commensurate with the degree of risk posed, address the risk of identity theft to the individual patient and the financial institution or physician. The regulation provides an illustrative list of appropriate measures that may be used to respond to red flags.
- Updating the program: The physician should periodically update its program based on experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in accounts offered and maintained, and changes in business arrangements.
Should Health Care Providers Need To Comply?
The American Medical Association (AMA) has been working to convince lawmakers that these rules should not apply to health care providers. With the deadline being pushed out yet again, AMA has asserted that it will use the next several months to “convince the FTC and Congress to republish the rule so that there is sufficient opportunity to formally comment and state the AMA’s objections to physician inclusion in the program.”
AMA and others who have questioned the application of the rules to physicians have raised many good points. For example, physicians already have to comply with HIPAA’s Privacy and Security Rules. In addition, requiring physicians to comply with the rules might have unintended consequences, such as a reduction in the number of physicians who are willing to accept partial payments from patients or enter into deferred billing arrangements.
In addition to these arguments, however, there is a question of whether the rules are even needed at this time. Once health information technology is implemented on a much wider scale, there may be a greater need for additional data security protections and/or identity theft precautions similar to the rules.
However, at the present time when health IT is still at its relative infancy, requiring health care providers to implement a program to comply with the rules might be forcing providers to dedicate time and resources to a task that, ultimately, might not have a lot of immediate benefit for medical consumers.
What To Do Now?
With all of the attention and controversy that have accompanied the rules, as well as the continued efforts of various advocacy groups, the potential for further revisions cannot be completely ruled out.
In fact, the American Bar Association was recently successful in a motion for summary judgment for declaratory and injunctive relief from the rule’s application to lawyers.
At the same time, however, there may be significant pressure to prevent further delays or new changes. In the meantime, covered health care providers should assume that the June 1, 2010, compliance date is a real deadline and should investigate whether they already comply with the rules and implement measures to address any gaps in compliance.
To be effective, the compliance program must be specifically designed for a physician office’s operations and the risks that its patients face. The compliance program also must be continually reviewed, updated, tested and modified when necessary.
Cross-posted at iHealthBeat
What Do the New FTC Guidelines Mean for the Fashion Blogging Community?
FTC Announces ChoicePoint Settlement
FTC Settles With Six Companies For Safe Harbors Claims
-
ABOUT
Jacqueline Klosek, Senior Counsel in the Business Law Department of Goodwin Procter LLP, is a frequent author and commentator on data privacy and security. You can email her at jacquelineklosek@gmail.com -
BOOKS
