Search Legal Perspectives:
Health Care Providers May Be Required to Take Action Against Identity Theft "Red Flags"
October 2, 2008
Given that health care providers often issue invoices for payment, rather than receiving payment at the time of services, they may be required to develop identify theft detection and prevention programs by November 1, 2008 pursuant to regulations jointly issued by the Federal Trade Commission (FTC) and several federal banking agencies.
Ober|Kaler Update: On October 22, 2008, the FTC announced that it will "suspend enforcement" of the regulations until May 1, 2009 to allow entities heretofore exempted from FTC regulation to craft compliant programs. One could read "suspension" of the Rule as technically not the same as "delaying the effective date" of the Rule. However, the exact wording of the FTC announcement was that the suspension was given "to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs." [Emphasis added.] This seems to indicate that the suspension is effectively the same as a delay. You may review the FTC press release here: www.ftc.gov/opa/2008/10/redflags.shtm, and you may review Ober|Kaler's analysis of that press release here.
The identity theft "red flag" rules ("Red Flag rules") implement section 114 of the Fair and Accurate Credit Transactions Act of 2003. The rules require financial institutions and creditors to implement identity theft prevention programs to detect, prevent and mitigate identity theft in connection with certain existing or new accounts. These programs must be in writing, tailored to the particular financial institution or creditor and designed to detect relevant warning signs (i.e., the "Red Flags") that indicate possible identity theft and respond appropriately. The final rule was published in November 2007, became effective on January 1, 2008, and requires compliance by November 1, 2008. The rule is available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.
Although the final rule does not mention health care providers, the definition of "creditor" is extremely broad. Any entity that regularly extends credit in connection with a "covered account" is within the scope of the Red Flag rules. Credit includes the right to purchase services and defer payment. A creditor must be under the jurisdiction of the FTC for the Red Flag rules to apply. While the FTC's jurisdictional rules are convoluted, they are based on its enforcement authority under the Fair Credit Reporting Act, which is interpreted very broadly. A covered account includes any account: (1) that is established primarily for personal, family or household purposes and that involves multiple payments or transactions, i.e., consumer accounts; and (2) for which there is a reasonably foreseeable risk of identity theft to the customer or the creditor.
Several creditable national health care organizations have concluded that when a health care provider issues an invoice, instead of being paid at the time of service, the health care provider may be considered a creditor under the Red Flag rules. Given the breadth of the definition of a covered account and the FTC's broad jurisdictional ambit, it appears possible that health care providers, such as hospitals and physicians, may be required to comply with the Red Flag rules. There are indications that one or more organizations representing health care providers may seek clarification on this issue from the FTC.
If health care providers are covered by the Red Flag rules, it will be important to consider whether some or all of the Red Flag responsibilities are already satisfied by their presumptive compliance with the Health Insurance Accountability and Portability Act (HIPAA) privacy rule and security rule policies, procedures and mechanisms. The Red Flag rules give considerable flexibility as to what a satisfactory written "program" is, depending on the nature of the particular creditor and the assessed risk of identify theft to its customers and/or itself. Perhaps with some modifications, existing HIPAA required mechanisms can satisfy applicable requirements, especially if the issue of coverage of health care providers by the Red Flag rules is not clarified by the November 1, 2008 compliance date.