DON'T IGNORE THE RED FLAGS  

IMPLEMENTATION DEADLINE FOR RED FLAG RULES

MAY 1, 2009

          At this moment you may be asking yourself at least two questions: (1) Does this even apply to my organization; and  (2) What is a "red flag" anyway?   

          The short answer - (1) Yes, the Red Flag Rules likely apply to your organization because your existing business practices create a creditor relationship with your patients and your patients may become victims of identity theft; and (2) "red flags" are a pattern, practice, or specific activity that indicates a possible existence of identity theft. 

Summary

          As part of the Fair and Accurate Credit Transactions Act of 2003 (the "FACT Act"), the Federal Trade Commission ("FTC") promulgated regulations commonly known as the "Red Flag Rules."[1][1] Under the Red Flag Rules, "financial institutions" and "creditors" are required to develop and implement written identity theft prevention programs.   A "creditor" under the Red Flag Rules is broadly defined and includes any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

          Generally, Healthcare Providers ("Providers") treat a patient and subsequently submit a claim for services to the insurance company.  Thereafter, the Provider bills any remaining unpaid balance to the patient.  As a result, the Provider is "deferring" the patient's payment of his/her share of the claim and therefore functioning as a creditor (i.e. billing occurs after patient received medical services). 

          Providers that accept deferred payments for medical services generally fall within the broad meaning of "creditor" set forth in the Red Flag Rules and Providers that are deemed creditors with "covered accounts" must develop and implement a written Identity Theft Prevention Program ("Program") by May 1, 2009.[2][2]

Discussion

          Implement a Written Program

          The purpose of developing a written Program is to detect, prevent, and mitigate identity theft in connection with new or existing "covered accounts."   A "covered account" is an account used mostly for personal, family, or household purposes, and involves multiple payments or transactions.  When Providers defer payments (i.e., extend credit)  to patients for medical services a covered account is created because patients usually seek medical care for primarily personal, family, or household purposes.  Thus, if a Provider accepts deferred payments for medical services, then the Provider will likely be subject to compliance with the Red Flag Rules meaning each Provider must implement a written Program.

          Many Providers may currently informally evaluate identity theft risks. For example, some organizations ask for photo identification of patients at the time of registration and other organizations maintain photo's of each patient with the medical record.  Identity theft may occur when a patient uses another individual's personal information to get medical services, health insurance, prescriptions, or to collect money from medical claims.

          Providers are permitted to tailor Program policies and procedures consistent with the size and complexity of the Provider's organization and the nature and scope of its activities. A written Program must include reasonable written policies and procedures to:

1.       identify relevant patterns, practices, and specific types of activities that are "red flags" (i.e. identity theft risks) for covered accounts offered or maintained by the Provider;   

2.       incorporate the red flags identified above into a written Program;   

3.       respond to any red flags that are detected to prevent and mitigate identity theft; and

4.       periodically update the Program to reflect changes in risks related to patient identity theft. 

          HIPAA and the Red Flag Rules

          The Health Insurance Portability and Accountability Act of 1996, as amended, together with the rules promulgated thereunder ("HIPAA"), is a good starting point for implementing a written Program.         

          Although different than the Red Flag Rules, HIPAA privacy and security standards require implementation of certain identity theft protection measures. Many Providers, through implementation of HIPAA privacy and security standards, probably have certain identity theft measures currently implemented.  Thus, HIPAA supplements the Program as opposed to duplicating the Red Flag Rules.   

          Similar to HIPAA policies and procedures, the Program should be risk-based and flexible.  For example, programs for large hospital systems will differ from programs developed by Providers.   The Program should be tailored to the Provider's size and complexity as well as the nature and scope of its activities.  Therefore, Providers should review existing HIPAA policies and procedures as a good starting point for preparing a written Program.

Next Steps

          To begin implementing a Program, Provider's should assign specific personnel (or possibly a committee for larger organizations) ("Organization Personnel") to prepare and implement the Program.  Organization Personnel should review HIPAA polices and procedures as good starting point.  Organization Personnel should evaluate the organization by identifying red flags  (i.e., identity theft risks) across various departments such as billing, registration, medical records, and patient advocacy/compliance.  Next, Organization Personnel should develop a written Program with reasonable policies and procedures that incorporate those relevant patterns, practices, and specific types of activities that are identified as "red flags. Thereafter, Organization Personnel should develop a written process to follow when identify theft is reported to the organization and assign specific Organization Personnel to manage timely responses to suspected identity theft.  Additionally, Organization Personnel should monitor various published alerts and/or notices regarding identity theft.  Such publications may be provided by the State Attorney General, trade associations, board of medicine, and local media. Finally, Organization Personnel should board approval and educate staff regarding the risks of identity theft and the organization's written Program. 

Conclusion

           Each Provider subject to the Red Flag Rules is required to implement a written Program on or before May 1, 2009.  As discussed above, the Program should be designed as a flexible tool tailored to meet the degree of identity theft risk faced by a particular Provider.  In many instances, the degree of risk varies significantly based upon the sophistication of the Provider's business practices; therefore, the Program should be designed to support the degree of potential risk for identity theft identified by each Provider's organization. For example small office practices may implement a relatively simple Program as opposed to Programs for larger health systems.  The FTC addressed this issue in a February 9, 2009 letter responding to concerns expressed by the American Medical Association, and stated as follows: 

            Please note, this article is merely intended to provide a general summary of the Red Flag Rules and is not intended as legal advice for any one specific Provider or practice.  A provider should consult counsel as to an appropriate written Program, taking into account that provider's organization, degree of risk,  and office procedure.

          Should you have any questions regarding the Red Flag Rules or your organization would like assistance and/or training regarding implementation of a written Identity Theft Program, please contact Gregory W. Moore at (248) 988-5842 or by email at gmoore@clarkhill.com or contact Michael W. Matthews at (248) 988-5870 or by email at mmatthews@clarkhill.com