Health Care Providers: Don't Miss the Red Flags

The Federal Trade Commission (FTC) recently issued a reminder of the upcoming Nov. 1, 2008, compliance deadline for implementing identity theft prevention programs pursuant to the identity theft red flag rules (“Red Flag Rules”).

Many health care providers have been unaware of the Red Flag Rules or have been uncertain of the applicability of these requirements. Providers in general should be aware of the Red Flag Rules, should revisit their existing privacy and security compliance programs to ensure that the requirements of the Red Flag Rules have been addressed, and should take other actions to bring themselves into compliance with applicable requirements. It would be prudent for those health care providers that have not done so already to seek legal advice with respect to applicability and appropriate compliance with the Red Flag Rules.

Applicability to for-profit and nonprofit health care providers

Under the Red Flag Rules, creditors that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect and respond to practices that could indicate identity theft. Although opinions differ, it is likely that health care providers—whether they are for-profit or nonprofit—are subject to the Red Flag Rules because they (1) are creditors, (2) are subject to enforcement by the FTC under the FCRA, and (3) have “covered accounts.”

1. Creditors. First, the Red Flag Rules apply to creditors. A “creditor” includes any person or entity that “regularly extends, renews, or continues credit.” The term “credit” means “the right granted by a creditor to a debtor to defer payment of debt or … to purchase … services and defer payment therefor.” For health care providers, credit would result when, for example, a health care provider grants a patient the right to defer payment for medical services rendered. Thus, a health care provider could be deemed a creditor because it “regularly extends, renews, or continues credit,” in the form of deferred payment for medical services, to patients and to others who utilize the health care provider's services.
   
   
2. Subject to FCRA enforcement. The second step of this analysis is to determine whether a health care provider is a creditor that is subject to the administrative enforcement of the FCRA by the FTC. This determination is complicated by the fact that a FCRA violation is enforced as a violation of the FTC Act; however, those subject to FCRA enforcement include any person, including a corporation, that violates the FCRA “irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests” of the FTC Act. Thus, although the FTC Act allows the FTC to govern only corporations that operate “for profit” (as well as nonprofit trade associations and professional societies that provide economic benefits to their for-profit members), the FCRA contains no such similar restriction. Accordingly, a nonprofit corporation likely would be subject to FTC enforcement under the FCRA and, likewise, may be subject to the Red Flag Rules.
   
   
3. Covered accounts. Finally, the Red Flag Rules apply only to “covered accounts.” A covered account is defined broadly as (a) an “account … primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions”; or (b) “[a]ny other account … for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the … creditor from identity theft.” Health care providers' patient (and perhaps other) accounts appear to qualify as covered accounts under both prongs of the definition: patient accounts serve “personal” and/or “family” purposes because such accounts relate to medical services for individuals and/or family members and often involve or permit multiple payments or transactions; and health care provider accounts, including patient financial accounts, present possibilities for identity theft.

Requirements of a red flag program

The Red Flag Rules mandate that a covered entity's program should detect, prevent and mitigate identity theft in connection with covered accounts and should “include reasonable policies and procedures to” accomplish the following:

• Identify red flags. To identify red flags, health care providers should consider the types of accounts offered and maintained, the methods used to open and provide access to such accounts, any previous experience with identity theft, and any suspicious activity related to patient accounts. Additionally, health care providers should pay particular attention to actual or reasonably likely instances of medical identity theft, which is a growing problem.
  
  
• Detect red flags. To detect red flags, a health care provider should have a process to authenticate patients, monitor transactions and verify the validity of change-of-address requests. Such a process might include requiring patients to produce identifying information to verify their identity at the inception of the account and when they present for service.
  
  
• Respond to red flags. To respond to red flags, covered entities must make “appropriate responses” that prevent and mitigate identity theft. For health care providers, appropriate responses might include responding to identity theft alerts from law enforcement or others, monitoring patients' covered accounts, contacting patients when questions or concerns arise, changing passwords or security codes, refraining from collecting on an account or selling it to a debt collector, or notifying law enforcement as appropriate.
  
  
• Ensure the program is updated. Covered entities should ensure the program is updated to reflect changing risks to patients or the safety of the provider from identity theft and medical identity theft. Health care providers should update their program to adequately respond to alerts from law enforcement and others, changes in the methods of identity theft, changes in the methods to detect and prevent identity theft, and changes to the health care provider's business infrastructure.
  
  
• Obtain board approval. The covered entity's board of directors (or an appropriate board committee) must approve the identity theft prevention program and, thereafter, be involved directly, or through a designated senior management employee, in the oversight, development, implementation and administration of the program. Additionally, covered health care providers must assign specific responsibility for implementation, train staff, audit compliance, generate annual reports, and oversee anyone granted access to covered accounts.

Much like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Red Flag Rules give covered health care providers some flexibility in implementing their identity theft programs, taking into account the size and complexity of a health care provider's business. The Red Flag Rules “underscore … the ability of a … creditor to incorporate into its [identity theft program] its existing processes that control reasonably foreseeable risks to customers or to its own safety and soundness from identity theft.” Thus, the program developed in compliance with the Red Flag Rules may be part of a provider's HIPAA compliance efforts. Indeed, there is overlap between the requirements of HIPAA and the Red Flag Rules. Many of these actions already may have been included in an organization's HIPAA compliance efforts.

Davis Wright Tremaine issued an alert on the Red Flag Rules, “Red Flag Identity Theft Programs Required by November 2008” by John D. Seiver.

Davis Wright Tremaine would like to thank summer associate Missy Mordy for contributing to this advisory.