Federal Trade Cmmissin s Red Flags rule As part f the Federal Trade Cmmissin s (FTC's) implementatin f the Fair and Accurate Credit Transactins (FACT) Act f 2003, medical prviders may need t cmply with the "Red Flags rule, which requires creditrs t establish a prgram t prevent identity theft in their practices. The prgram, as discussed in mre detail belw, must incrprate Red Flags that is, indicatrs f a pssible risk f identity theft. While the rule was riginally scheduled t g int effect n Nv. 1, 2008, advcacy effrts by the Medical Grup Management Assciatin (MGMA) and ther medical assciatins resulted in a six mnth delay in enfrcement until May 1, 2009. MGMA still has cncerns abut the applicatin f this rule t health care prviders, including the late ntificatin by the FTC that prviders are cnsidered creditrs. As a result, the health care cmmunity was nt able t prvide meaningful cmments t the agency n the rule, as wuld nrmally be the case in the rulemaking prcess. We are still engaged in advcacy effrts n this issue but have prvided this infrmatin t assist yu in planning fr the May 1 cmpliance date. In a Feb. 4 crrespndence t MGMA and thers in the medical prvider cmmunity, the FTC maintains its psitin that certain health care prviders are creditrs. Wh is a creditr? The Red Flags rule (http://ftc.gv/s/fedreg/2007/nvember/071109redflags.pdf) defines a creditr as any persn wh regularly extends, renews, r cntinues credit; any persn wh regularly arranges fr the extensin, renewal, r cntinuatin f credit; r any assignee f an riginal creditr wh participates in the decisin t extend, renew, r cntinue credit. The FTC interprets this t include a medical prvider if the prvider des nt regularly demand payment in full fr services r supplies at the time f service. This includes, fr example, a prvider wh bills a patient s insurance cmpany befre requesting payment in full frm the patient. In its mst recent crrespndence, the FTC reinfrced this pint by stating: When a physician submits a claim t an insurance carrier first and then bills any remaining unpaid amunts t the patient whether she des s as a curtesy t the patient r because she is required t d s as a matter f cntractual r state law the physician is deferring the cnsumer s payment f his r her share f the claim (i.e., the physician is billing the patient after having prvided the patient with medical services). The FTC cnsiders a physician wh engages in this type f arrangement t be a creditr fr purpses f the Red Flags rule.
What are cvered accunts? Once an entity determines that it is a creditr, the next questin is whether it maintains cvered accunts. As defined in the regulatins, cvered accunts are accunts that permit multiple payments r transactins and thse that pse a reasnably freseeable risk t custmers r t the safety and sundness f medical practices frm identity theft, including financial, peratinal, cmpliance, reputatin r litigatin risks. The FTC cnsiders patient billing recrds t be cvered accunts. What des the Red Flags rule require? If a practice determines it qualifies as a creditr that maintains cvered accunts, the Red Flags rule applies. The practice will be required t develp an identity theft preventin prgram that cntains "reasnable plicies and prcedures" (which may incrprate existing plicies and prcedures) t achieve the fllwing gals: 1. Identify relevant indicatrs f a pssible risk f identity theft ( Red Flags ) 2. Detect Red Flags 3. Prevent and mitigate identity theft 4. Update the identity theft preventin prgram The fllwing guidance is based n the FTC s publicatins and cmmunicatins regarding the Red Flags rule. Nte als that the FTC, in its recent crrespndence t the medical cmmunity, stated that, due t the risk based nature f the requirements, it did nt believe the rule wuld impse significant burdens n mst prviders. It gave examples f a lw risk practice (a small practice with a limited, well knwn patient base) and a high risk practice (a clinic in a large metrplitan area that treats a high vlume f patients). It stated that in lw risk practices, an apprpriate prgram might invlve checking pht identificatin and having plicies t deal with the theft f a patient s identity (including nt trying t cllect the debt frm the patient and separating the medical recrds f the real patient frm thse f the identity thief). 1. Identifying relevant indicatrs f a pssible risk f identity theft ( Red Flags ) In identifying Red Flags, a practice shuld cnsider: The types f cvered accunts it ffers r maintains The methds it prvides t pen its cvered accunts (in the case f health care prviders, this culd include the intake prcedure fr new patients) The methds it prvides t access its cvered accunts and Its previus experiences with identity theft Red flags can cme frm a number f surces, including: Incidents f identity theft that the practice has experienced
Methds f identity theft that the practice has identified that reflect changes in identity theft risks Applicable supervisry guidance The fllwing categries f Red Flags are ffered as guidance by the FTC in its rule: Alerts, ntificatins, r ther warnings received frm cnsumer reprting agencies r service prviders, such as fraud detectin services The presentatin f suspicius dcuments: Dcuments prvided fr identificatin appear t have been altered r frged The phtgraph r physical descriptin n the identificatin is nt cnsistent with the appearance f the patient presenting the identificatin Other infrmatin n the identificatin is nt cnsistent with infrmatin prvided by the patient Other infrmatin n the identificatin is nt cnsistent with readily accessible infrmatin that is n file with the practice An applicatin appears t have been altered r frged, r gives the appearance f having been destryed and reassembled The presentatin f suspicius persnal identifying infrmatin, such as a suspicius address change: Persnal identifying infrmatin prvided is incnsistent when cmpared against external infrmatin surces used by the practice, fr example: The address des nt match any address in a cnsumer reprt r The Scial Security Number (SSN) has nt been issued, r is listed n the Scial Security Administratin s Death Master File Persnal identifying infrmatin prvided by the patient is nt cnsistent with ther persnal identifying infrmatin prvided by the patient. Fr example, there is a lack f crrelatin between the SSN range and date f birth Persnal identifying infrmatin prvided is assciated with knwn fraudulent activity as indicated by internal r third party surces used by the practice. Fr example: The address n an applicatin is the same as the address prvided n a fraudulent applicatin r The phne number n an applicatin is the same as the number prvided n a fraudulent applicatin Persnal identifying infrmatin prvided is f a type cmmnly assciated with fraudulent activity as indicated by internal r third party surces used by the practice. Fr example: The address n an applicatin is fictitius, a mail drp, r a prisn r The phne number is invalid, r is assciated with a pager r answering service The SSN prvided is the same as that submitted by ther persns pening an accunt r ther patients
The address r telephne number prvided is the same as r similar t the accunt number r telephne number submitted by an unusually large number f ther patients The patient fails t prvide all required persnal identifying infrmatin n an applicatin r in respnse t ntificatin that the applicatin is incmplete Persnal identifying infrmatin prvided is nt cnsistent with persnal identifying infrmatin that is n file with the practice If the practice uses challenge questins t identify patients, the patient cannt prvide authenticating infrmatin beynd that which generally wuld be available frm a wallet r cnsumer reprt The unusual use f, r ther suspicius activity related t, a cvered accunt: Mail sent t the patient is returned repeatedly as undeliverable althugh transactins cntinue t be cnducted in cnnectin with the patient s cvered accunt The practice is ntified that the patient is nt receiving paper accunt statements The practice is ntified f unauthrized charges r transactins in cnnectin with a patient s cvered accunt Ntice frm patients, victims f identity theft, law enfrcement authrities, r ther persns regarding pssible identity theft in cnnectin with cvered accunts held by the practice The practice is ntified by a patient, a victim f identity theft, a law enfrcement authrity, r any ther persn that it has pened a fraudulent accunt fr a persn engaged in identity theft 2. Detecting Red Flags The practice s identity theft preventin prgram shuld address the detectin f Red Flags in cnnectin with the pening f cvered accunts and existing cvered accunts, such as by: Obtaining identifying infrmatin abut, and verifying the identity f, a persn pening a cvered accunt and Authenticating patients, mnitring transactins, and verifying the validity f change f address requests, in the case f existing cvered accunts 3. Preventing and Mitigating Identity Theft The practice s identity theft preventin prgram shuld prvide fr apprpriate respnses t the Red Flags the practice has detected that are cmmensurate with the degree f risk psed. In determining an apprpriate respnse, a medical practice shuld cnsider aggravating factrs that may heighten the risk f identity theft, such as a data security incident that results in unauthrized access t a patient s accunt recrds held by the practice r a third party, r ntice that a patient has prvided infrmatin related t a cvered accunt held by the practice t smene fraudulently claiming t represent the practice r t a fraudulent website. Apprpriate respnses t the Red Flags may include the fllwing:
Mnitring a cvered accunt fr evidence f identity theft Cntacting the patient Changing any passwrds, security cdes, r ther security devices that permit access t a cvered accunt Repening a cvered accunt with a new accunt number Nt pening a new cvered accunt Clsing an existing cvered accunt Nt attempting t cllect n a cvered accunt r nt selling a cvered accunt t a debt cllectr Ntifying law enfrcement r Determining that n respnse is warranted under the particular circumstances 4. Updating the identity theft preventin prgram Practices shuld update the identity theft preventin prgram (including the Red Flags determined t be relevant) peridically, t reflect changes in risks t patients r t the safety and sundness f the practice frm identity theft, based n factrs such as: The experiences f the practice with identity theft Changes in methds f identity theft Changes in methds t detect, prevent, and mitigate identity theft Changes in the types f accunts that the practice ffers r maintains and Changes in the business arrangements f the practice, including mergers, acquisitins, alliances, jint ventures, and service prvider arrangements 5. Methds fr administering the identity theft preventin prgram Oversight f prgram. Oversight by the bard f directrs, an apprpriate cmmittee f the bard, r a designated emplyee at the level f senir management shuld include: Assigning specific respnsibility fr the identity theft preventin prgram s implementatin Reviewing reprts prepared by staff regarding cmpliance by the practice with the Red Flags rule and Apprving material changes t the identity theft preventin prgram as necessary t address changing identity theft risks Reprts In general. Staff running the identity theft preventin prgram shuld reprt t the bard f directrs, an apprpriate cmmittee f the bard, r a designated emplyee at the level f senir management, at least annually, n cmpliance by the practice with the Red Flags rule Cntents f reprt. The reprt shuld address material matters related t the identity theft preventin prgram and evaluate issues such as: the effectiveness f the plicies and prcedures f the practice in addressing the risk f identity theft in cnnectin with
the pening f cvered accunts and with respect t existing cvered accunts; service prvider arrangements; significant incidents invlving identity theft and management s respnse; and recmmendatins fr material changes t the identity theft preventin prgram Oversight f service prvider arrangements. Whenever a practice engages a service prvider t perfrm an activity in cnnectin with ne r mre cvered accunts the practice shuld take steps t ensure that the activity f the service prvider is cnducted in accrdance with reasnable plicies and prcedures designed t detect, prevent, and mitigate the risk f identity theft. Fr example, the practice culd require the service prvider by cntract t have plicies and prcedures t detect relevant Red Flags that may arise in the perfrmance f the service prvider s activities, and either reprt the Red Flags t the practice, r t take apprpriate steps t prevent r mitigate identity theft. 6. Other Applicable Legal Requirements Practices that qualify as creditrs shuld be mindful f ther related legal requirements that may be applicable, such as: Fr financial institutins and creditrs that are subject t 31 U.S.C. 5318(g), filing a Suspicius Activity Reprt in accrdance with applicable law and regulatin Implementing any requirements under 15 U.S.C. 1681c 1(h) regarding the circumstances under which credit may be extended when the financial institutin r creditr detects a fraud r active duty alert Implementing any requirements fr furnishers f infrmatin t cnsumer reprting agencies under 15 U.S.C. 1681s 2, fr example, t crrect r update inaccurate r incmplete infrmatin, and t nt reprt infrmatin that the furnisher has reasnable cause t believe is inaccurate Cmplying with the prhibitins in 15 U.S.C. 1681m n the sale, transfer, and placement fr cllectin f certain debts resulting frm identity theft and Thugh the FTC did nt specifically include them in its guidance, practices are still subject t the Health Insurance Prtability and Accuntability Act (HIPAA), including the privacy regulatins fund at 45 C.F.R. Parts 160 and 164, and the full array f health care laws with which yu currently cmply