Health care providers should promptly review the requirements of the Red Flag Rule (the Rule), and, if affected, implement a program for addressing “red flags,” which are patterns, practices or activities that indicate possible identity theft. While the Rule primarily targets financial institutions, many health care providers are included in the Rule’s broad definition of “creditor.” The Rule requires establishing a written Identity Theft Prevention Program (the Program) containing policies and procedures to: (a) identify Red Flags that are relevant to the provider’s activities, (b) detect Red Flags incorporated into the Program, (c) respond appropriately to Red Flags to prevent and mitigate identity theft, and (d) ensure that the policies and procedures are updated periodically. The Rule requires that the initial Program be approved by the institution’s board of directors or, if no board exists, by a designated senior management employee. Also, the board or senior management must be involved in the oversight and administration of the Program. The Program must provide for employee training to implement the Program effectively, and for effective oversight of any third party service provider arrangements. The mandatory compliance date is November 1, 2008.
Applicability to Health Care Providers as “Creditors” and to Not-for-Profits
The Federal Trade Commission (FTC) issued the Rule jointly with the U.S. Department of the Treasury, Federal Reserve System, Federal Deposit Insurance System and National Credit Union Administration to implement Fair and Accurate Credit Transactions Act (FACT) provisions that amended the Fair Credit Reporting Act of 1970 (FCRA). The Rule’s provision most relevant to health care providers applies to “creditors” with “covered accounts,” as defined below:
- The Rule defines a “creditor” as any person who regularly extends, renews or continues credit. “Credit” is defined as the right granted by a creditor to a debtor to purchase property or services and defer payment for such purchases. Under these definitions, a health care provider would be a creditor extending credit whenever the provider permits a patient to defer payment for services rendered. Most health care providers will likely meet the definition of creditor because they permit patients to defer payments for various reasons. Few health care providers collect all, or even most, fees in advance or at the time of service.
- A “covered account” is defined as: (a) an account that a “creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions;” and (b) any other account that a “creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness” of the creditor “from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Many billing accounts maintained by health care providers would likely meet one or both definitions of a covered account. Health care services would typically be for personal or family purposes, and health care providers generally maintain the billing account as services are rendered and balances paid on an ongoing basis. Additionally, the billing account represents a risk of identity theft, as either the patient’s information used to establish the account could be compromised, or the health care provider could be at risk for charges made to a fraudulently established account or to a valid account by an unauthorized party.
Given the broad definition of “creditor,” health care providers that maintain covered accounts likely will be subject to the Rule as described above. Additionally, any time a health care provider permits an alternative payment plan, such as for charity care patients, the health care provider is extending credit. As a result, it would be prudent for health care providers to develop the required Program by the compliance deadline, unless formal relief is granted.
Additional Provisions of the Rule
The Rule also includes a requirement that may affect health care providers that use consumer reports, such as those who perform a credit check when scheduling elective or self-pay procedures. It requires that consumer report users that are subject to FCRA enforcement by the FTC develop and implement policies and procedures to verify that the consumer report relates to the consumer about whom the user requested the report when the user receives a consumer reporting agency’s notice of address discrepancy. The user must also develop and implement policies and procedures for furnishing the consumer’s address that the user has reasonably confirmed as accurate to the consumer reporting agency that issued the notice of address discrepancy, when the user: (a) can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report, (b) establishes a continuing relationship with the consumer, and (c) regularly and in the ordinary course of business furnishes information to the consumer reporting agency that issued the notice of address discrepancy.
Example Red Flags and Program Procedures
The Rule provides examples of Red Flags, but health care providers will need to identify and incorporate into their Programs Red Flags that are relevant to their activities. Red Flags could include, among others, such events as a patient who presents an identification card that appears to have been tampered with, discrepancies between admissions information and prior account information or insurance eligibility information, and suspicious personal information such as the use of a post office box rather than a physical address. The Program would need to identify how to detect each type of Red Flag and what measures to take when a Red Flag is detected. The Program would also need to provide training for the appropriate personnel, such as admissions staff who check identification cards during the admission process, and to contain procedures instructing them regarding the actions to take to resolve each Red Flag. Health care providers may be able to incorporate existing measures, such as identification procedures they implemented for HIPAA compliance or payor network participation, into their Program.