Are you Ready for the Red Flags Rules? Rules are now set to become effective on November 1, 2009
Identity theft is a serious problem that causes financial loss, inconvenience and mental suffering to its victims. Despite a wide range of different efforts to clamp down on identity theft, it continues to grow. A recent Federal Trade Commission (“FTC”) report, for example, revealed that in 2008, the number of identity theft complaints exceeded 1.2 million, the highest number on record for any particular year since such complaints were tracked. It is thus not very surprising that legislators, consumer protection agencies and advocates continue to seek new ways to prevent identity theft and mitigate the effects of identity theft when it does occur.
The enactment of the “Red Flags Rules” (the “Rules”) is one important initiative designed to help control the growth of identity theft. The Rules require financial institutions and creditors to assist the government in detecting, preventing and mitigating “red flags” of identity theft. The rules were originally to take effect on November 1, 2008 but were delayed several times - first to May 1, 2009, then to August 1, 2009 and now, compliance is required by November 1, 2009.
Under the rules, “creditor” is defined broadly and would cover many physicians. The American Medical Association and other groups have been endeavoring to convince the FTC that it is incorrect to include physicians under the scope of the Rules. While, as noted above the implementation of the Rules has been delayed several times, physicians have not yet been excluded from the obligation to comply with the Rules. Accordingly, with the latest implementation date looming, physicians are well advised to determine whether they are in compliance with the Rules. For those who are subject to the Rules, a failure to comply may result in civil monetary penalties. It can also lead to less tangible losses, such as negative publicity and the loss of goodwill.
Are Physicians Covered by the Rules?
Not all physicians will be subject to the Rules. The duty to comply will hinge on whether a physician’s activities fall within the law’s definition of two key terms: “creditor” and “covered account. Physicians will be subject to the Rules if they satisfy a two-part test. First, the provider must be a creditor. Under the broad definition of creditor, a physician that renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient, will be a creditor. The same holds true for a physician who renders medical services to a patient and accepts the patient’s co-pay.
Under the second part of the test, to be subject to the Rules, a physician must offer or maintain covered accounts for patients. According to the Rules, a covered account is one in which a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions, and any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft. A physician, who is a creditor, must have a continuing relationship with the patient before the patient’s account is considered a covered account.
What do the Rules Require?
Pursuant to the Rules, physicians who are creditors who offer or maintain covered accounts are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft. The FTC defines a “red flag” as a “pattern, practice, or specific activity that indicates the possible existence of identity theft.” At a minimum, Rules require that the program provide policies and procedures to: (i) identify relevant red flags and incorporate them into the program; (ii) detect red flags in patient accounts; (iii) respond appropriately to any red flags detected in patient accounts; and (iv) ensure the program is updated periodically to reflect changes in risks to patients, and the safety and soundness of the physician from identity theft, each as discussed further below.
Identify Red Flags: A Physician who is subject to the Rules must implement a program to identify patterns, practices, or specific activities that indicate the possible risk of identity theft. These items are known as “red flags.” There is no “one size fits all” approach to identifying red flags. Covered physicians, as well as all others who are covered by the Rules, must identify those red flags that are relevant to their particular practice, or business. In doing so, the physician must consider certain factors such as: (i) which of its accounts are subject to the risk of identity theft; (ii) the methods it provides to open its accounts; (iii) the methods it provides to access its accounts; its size, location, and patient base; and (iv) its previous experiences with identity theft.
Detect Red Flags: Physicians covered by the Rules must also establish and implement policies and procedures to detect those Red Flags in their day-to-day operations. Red Flags may be identified in a number of different areas of practice. For example, a physician may identify a Red Flag when verifying a patient’s identity, monitoring certain transactions and/or processing changes of address.
Respond to Red Flags: The compliance program must, commensurate with the degree of risk posed, also address the risk of identity theft to the individual patient, and the financial institution or physician. The regulation provides an illustrative list of appropriate measures that may be used to respond to Red Flags. Some examples are:
(1) monitoring an account for evidence of identity theft;
(2) contacting the applicable patient;
(3) changing any passwords, security codes, or other security devices that permit access to a patient’s account;
(4) reopening an account with a new account number;
(5) not opening a new account;
(6) closing an existing account;
(7) notifying law enforcement;
(8) implementing any requirements regarding limitations on credit extensions;
(9) implementing any requirements for furnishing of information to consumer reporting agencies;
(10) determining that no response is warranted under the circumstances.
Updating the Program: Of course, it will not be sufficient to simply have a written policy in place. The policy will only be as effective as the physician’s efforts to ensure that the policy is complied with. The physician should periodically update its program considering its own experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent, and mitigate identity theft, changes in accounts that it offers and maintains, and changes in its business arrangements. In addition, as is essential with all effective privacy and data security programs, physicians implementing a program to comply with the Rules must train staff to implement the program and exercise appropriate and effective oversight of the program.
What to Do Now?
With all of the attention and controversy that has accompanied the Rules, as well as the continued efforts of various advocacy groups, the potential for further revisions cannot be completely ruled out. At the same time, however, with all of the implementation delays that have already occurred, there may be a lot of pressure against the notion of further delays or new changes. In the mean time, covered providers should assume that the November 1, 2009 compliance date is a real deadline and should investigate the extent to which they already comply with the Rules and implement measures to address any gaps in compliance. Implementing measures to comply with the Rules, while manageable, is not something that can be done overnight. To be effective, the compliance program must be specifically designed for one’s operations and the risks that one’s patients face. The compliance program must also be continually reviewed, updated, tested and modified when necessary.
The FTC has a number of resources that will be useful for creditors who need to comply with the rule. Among the available resources are: A How-To-Guide for businesses and a series of Frequently Asked Questions.
New Hampshire Enacts New Law on Health Privacy
Breach Notification Obligations Under HITECH
Guidance is Released for HITECH Act Implementation
Massachusetts Data Security Regulations are Delayed and Amended
New York Considers Banning The “Harvesting” of Email Addresses
Proposed Stimulus Package Contains Comprehensive Health Privacy Provisions
US Safe Web Act is Enacted
-
ABOUT
Jacqueline Klosek, Senior Counsel in the Business Law Department of Goodwin Procter LLP, is a frequent author and commentator on data privacy and security. You can email her at jacquelineklosek@gmail.com -
BOOKS
