Identity Theft 101: What is the Red Flags Rule?

This is a good article on the basics of the Red Flags Rule:

The Red Flags Rule is a U.S. federal law that requires most every business and organization to develop and implement an identity theft prevention program. The purpose of the identity theft prevention program is to authenticate the identity of customers to reduce incidences of identity theft. Authentication is required when a new financial or credit account is opened or when a change is requested on an existing covered account. The law covers consumer and business accounts.

The broad definitions of “covered account” and “creditor” include most every business and organization. If a business or organization accepts payment for products or services after they are delivered, they are a creditor under the law and must comply. Those that only accept payment prior to or upon delivery are not creditors regardless of how payment is accepted—cash, check or credit card.

Compliance is risk based, meaning that entities must implement a compliance program that is reasonable and appropriate to cover the risks the organization is likely to encounter. For most entities, especially small businesses, compliance is simple, straightforward and will prevent fraud and financial loss by assuring the entity is doing business with a legal person or legal business, and not with an identity thief.

The Red Flags Rule was enacted on January 1, 2008 under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the first revision to the Fair Credit Reporting Act (FCRA). Compliance under the Red Flags Rule was effective on November 1, 2008 for those entities under the purview of any of five federal banking and credit union regulators (OCC, Federal Reserve System, FDIC, OTS, NCUA). Compliance has been required on August 1, 2009 for those entities regulated by the Federal Trade Commission (FTC).

The law requires that entities regularly conduct a risk assessment to determine if they have covered accounts and to determine if they have any other accounts for which there may be a reasonably foreseeable risk to identity theft. If there are, a written identity theft prevention program is required to describe how the entity will authenticate customers that open new accounts, change existing accounts and access accounts electronically. The program also requires top-level management support and oversight as well as regular risk assessments and program review.

The law gets its name from methods commonly used to authenticate the identity of customers. For example, if new customers are authenticated by requesting picture identification and the picture and description of the person does not bear any resemblance to the person presenting the identification, this is a red flag.

By Joe Campana, July 20, 2009

FTC's Red Flags Rule May Color Some Surprised

While many businesses are surprised to learn of the new Red Flag Rules, none seem more surprised than medical and dental practices - all of which are required to comply by the upcoming Aug 1 deadline.

Definition of 'creditor' expands impact of identity theft rule

WASHINGTON—The Federal Trade Commission next week begins enforcing a data safeguard rule that requires businesses to develop identity theft prevention programs, but observers say many organizations remain unaware the rule applies to them.

Under the FTC's Red Flags Rule that goes into effect Aug. 1, financial institutions and creditors are required to implement a program that identifies and detects warning signs of identity theft. Organizations also must have measures to safeguard data and respond to identity thefts.

“We are trying to get businesses to do their part,” said Manas Mohapatra, an attorney with the FTC in Washington.

Some 9 million U.S. residents' identities are stolen each year, which the FTC said has been its No. 1 consumer complaint the past three years.

A number of initiatives and state laws already address data and network security breaches, but the rule targets identity theft at “its point of origin” and “really picks up where data security leaves off,” Mr. Mohapatra said. “We think this is a more comprehensive fraud detection program.”

Under the rule, companies are required to have written procedures that recognize red flags when someone may be using another person's information. It will require employee training in identifying suspicious patterns or activities that point to fraud, Mr. Mohapatra said.

Organizations also must update their plan because the risks of identity theft and the methods of stealing personal information change rapidly, he said.

Since the rule was enacted in January 2008, the FTC said it has extended its enforcement deadline twice to give more preparation time. To help build awareness, it has held outreach programs through a variety of trade associations, yet observers say many organizations remain unprepared.

Part of the confusion is due to the FTC's broad definition of “creditor,” which includes just about any entity that defers payment for goods or services, observers say. The FTC says creditors can be finance companies, car dealers, health care firms, mortgage brokers, utility companies, telecommunications firms and nonprofits involved in financial transactions.

Experts say the rule extends to retailers, universities, real estate brokers and service providers who may not realize they are subject to the rule.

“Obviously, the financial institutions are on board, but other sectors are getting caught off guard,” said Nicholas Economidis, an underwriter with Beazley USA's technology, media and business service team in Philadelphia.

He said retailers that issue private-label credit cards are particularly confused. “They think that because they have a financial institution handling the accounts, that they have outsourced the exposure and therefore are not subject to the rules.” They are incorrect, he said.

Failure to comply with Red Flags could result in civil fines up to $3,500 per incident. “More importantly, the regulation opens up the door to a wave of potential negligence claims, and companies that fail to comply could be exposed,” Mr. Economidis said.

A number of high-profile, costly cases have boosted organizations' concerns about security and data breaches and many have taken risk-mitigation steps. But the new rule should be a wake-up call that companies need to re-evaluate their programs in order to comply, experts say.

To identify red flags, companies should evaluate their potential exposures and examine the types of accounts they offer or maintain, as well as how access is provided to the accounts. In addition, companies should use identity verification methods for anyone opening up a new account. This could include using a credit reporting company, data broker or the Social Security Number Death Master File, to compare information, the FTC said.

Some firms already may have some procedures in place that can simply be implemented into the program, such as a “know-your-customer rule,” Mohapatra said.

Combating data breaches and identity theft “actually has much more to do with human behavior than it does with technology,” said Mark Pribish, vp and identify theft practice leader with Phoenix-based consulting firm Merchants Information Solutions Inc. He said, with current or former employees often involved in such breaches, every business should consider using pre-employment screening.

Likewise, outsourcing is a risk and companies should review all provider contracts and include language to support security policies, he said.

Companies increasingly are turning to cyber liability and network liability insurance for additional protection, and observers say the Red Flags Rule likely will boost the market.

“We are seeing a huge uptick in both—people looking for coverage and people buying coverage,” said Bob Parisi, national leader for the Tech/Telecom E&O and Network Risk practice at Marsh Inc. in New York.

Data security breaches can be costly. Last year, companies that experienced a data breach paid an average $202 per record compromised, according to the Traverse City, Mich.-based Ponemon Institute L.L.C.

FTC guidance on the Red Flags Rule is at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf.

by: COLLEEN MCCARTHY, www.businessinsurance.co

Amid Anxiety, Red Flag Rules Take Effect

The Red Flag Rules take effect later this week. To date, a survey conducted by i-Comply - the leading provider of compliance tools for physicians - has revealed that more than 65% of all physician practices have yet to take any steps towards Red Flag compliance, although 95% say they will be in compliance by the end of the week.

The Federal Trade Commission’s compliance deadline for its so-called Red Flag Rules has finally arrived, requiring banks and other creditors to have written programs in place to find, stop, and mitigate theft of consumers’ personal data.

The rules formally go into effect Aug. 1, after a three-month extension to give companies more time to find their compliance footing. Still, experts say, many companies are struggling to understand whether they fall under the new rules’ jurisdiction, and how to nail down basic compliance procedures.

One of the most nettlesome questions is who fits the definition of a creditor under the rules, according to Randy Green, a principal with Grant Thornton, who spoke on the Red Flag Rules during a July 23 Webcast.

The rules clearly identify “financial institutions” as entities that offer accounts that let consumers write checks or make payments to third parties through other means, such as telephone transfers. A “creditor,” however, is any entity that regularly extends or renews credit or arranges for others to do so. That could be an auto dealership that provides financing; a doctor’s office billing someone’s co-payment; retailers offering store-only credit cards; or any number of other businesses not in the financial sector per se.

“The bottom line is that the Red Flag Rules apply to many different types of organizations, and it’s important to note that the rule will apply to all covered entities regardless of size,” Jay Brietz, a senior manager at Grant Thornton, said during the same Webcast.

And compliance officers should understand the difference between Red Flag Rules and other data protection rules. Nick Economidis, an underwriter of data privacy risks at the insurance firm Beazley, says most data protection rules aim to prevent sensitive data from exiting out “the back door” of a company when hackers steal it. In contrast, the Red Flag Rules seek to prevent imposters “the front door” when they walk into a store with already-stolen data, posing as someone else.

Best Practices

Regardless of a company’s current preparation, denial is not a good idea, Green said. “As we are all aware, the bad guys are coming out with new techniques to use stolen identity way faster than anybody can write a regulation,” he said. “Don’t expect that this thing is just going to go away.”

As always, start with a risk assessment—and specifically begin by reviewing how many accounts (both new and old) fall under the rules’ jurisdiction. Brietz recommend asking the following questions: How are customer accounts obtained and maintained? How are new accounts set up? Do people submit a form in person, over the phone, or online?

Also remember that not all credit card purchases are considered covered transactions, unless you can reasonably foresee the transaction leading to identity theft, Green said. The FTC has released a template to help entities that have a low risk of identity theft (businesses that know their customers personally, for example) to comply with the law.

From there, if you know the number of covered accounts you have and then identify all the places those covered accounts can be touched, “that will give you an idea of the places you’re going to need to have controls,” Green said.

Those possible control-points will also help controllers or internal auditors “if there are reasonably foreseeable risks that exist,” Brietz said. For example, asking for a Social Security number could allow someone to use the number of a deceased person; or after asking for an applicant’s home address, the applicant might then immediately change it to another.

Once you see where the gaps and risks are, you can develop a plan to address them, Brietz said. The bad news: “There really isn’t going to be a one-size-fits-all plan to this.”

Other important steps to take for effective compliance:

• Get your board up to speed. A compliance report should be delivered to boards at least annually, Green said.
• Re-evaluate your plan annually. That means recognizing what new types of identity theft threats have emerged, Green said. Perhaps some innovative new scheme has emerged; perhaps your business has changed (via a merge, for example), and that has created new holes your plan must fill.
• Have the appropriate skills. “This regulation is going to cover more than just your internal audit group,” Green warned. Experts from the legal, financial, IT, and other departments should all be versed in the effort.
• Train. With so many different people involved, don’t underestimate the training efforts that will need to be involved. Employees should be trained on what to look for and how to treat it, Green said.
• Document the program. The FTC does not spell out any specific recordkeeping, so put yourself in the shoes of the FTC investigator. “What level of reporting would you be comfortable in showing them?” Green said. “That’s probably the best way to think about it.”

Legal Ramifications

Companies must also be wary of any “big event,” Economidis says—anything newsworthy that causes damage to a company’s reputation, or sparks both state and federal investigations. Those events attract the attention of plaintiff lawyers, he warns. “I don’t think a lot of these companies realize that these new government regulations increase their exposure to negligence claims.”

And because the legal consequences of non-compliance can be serious, watch how courts will enforce Red Flag violations, said Peter Vogel, a partner at the law firm Gardere Wynne Sewell, who also spoke during the Webcast. “When we evaluate how courts and judges evaluate each instance of non-compliance, it will give us more information about what we need to do to maybe modify our plans,” he said.

By Jaclyn Jaeger — July 28, 2009, www.complianceweek.com

Coming Soon to a Doctor's Office Near You: Photo ID Check

Most physician practices currently check photo identification only for new patients. With the recent Red Flag Rules enforcement, physicians should check the ID of every patient to make absolutely sure that there is no identity theft occurring. With the current economy, medical identity theft is on the rise, and physicians must take precautions to prevent abuse of insurance coverage and deferred payment plans. Below is an interesting article:

By Jenny Gold, Kaiser Health News
JUL 24, 2009

Elena Castro was finishing the paperwork to buy her first home when the bank called to warn her of a problem-- nearly $10,000 in unpaid hospital bills on her credit report. The charges were for several ear, nose and throat procedures done at hospitals in her region.

But they weren’t for her. And, at the time, Castro was an insured medical student. The charges had been quietly festering for several years, the bank told her, eating away at her credit score.

"It was very, very upsetting and overwhelming. We were about to get married and buy our first home," she remembers. Castro soon discovered that a thief had used her personal information to obtain medical care.

Armed with as little as a stolen name, Social Security number and date of birth, an imposter can walk into a doctor’s office or hospital and receive services billed to the victim or the insurance provider.

Although few statistics are available, the Federal Trade Commission reports that medical identity theft accounts for1.3 percent to 3 percent of all identity theft crime -- about 250,000 cases each year.

The FTC hopes to address a part of the problem with a new regulation called the "Red Flags Rule," set to take effect on August 1. The rule would require physicians’ offices and hospitals, among other businesses, to create new protocols to spot the "red flags" of identity theft. These could include detecting fake or altered IDs, inconsistencies in a patient’s medical records or fraud alerts from consumer reporting agencies.

Doctors are not only required to implement procedures – such as checking a photo ID - that allow them to detect these warning signs effectively but also to spell out what they'll do when they find something fishy. Physicians would likely plan to alert the victim and avoid sending out a bill for services.

But medical provider groups, including the American Medical Association, insist the rule is misguided.

Their reasoning, in part, comes down to the actual language of the law. The statute specifies that all "creditors" – which are defined as businesses that regularly extend or renew credit – are required to implement the new protocols. That includes auto dealers, lawyers, utility companies and, according to the FTC, any physician’s office or hospital that accepts insurance or allows a payment plan.

The AMA and nearly 100 other physicians groups argue in letters to the FTC that while doctors defer payment for services, they are not creditors. One of the letters says the rule imposes an "unjustified, unfunded mandate on physicians" and could have "serious adverse consequences" on patients’ access to health care.

Dr. Ardis Hoven, an AMA board member and infectious disease specialist in Lexington, Ky., believes the rules "add another degree of regulatory burden for physicians and patients to a system that’s already burdened with responsibilities."

Although the AMA recognizes the problem of medical identity theft, Hoven said her worry is that the regulations could "severely impact" a doctor’s administrative work load. She is also concerned about the rule’s effect on patients: "In my practice, patients arrive acutely ill. The last thing I want is my patient to be detained at the check-in desk when they’re having acute medical problems."

Although Elena Castro, now an emergency room doctor, was a victim herself, she worries that it will also make doctors' practices more difficult. "It may be worth it if it prevents situations like mine, but we already do a ton of paperwork," she says.

Betsy Broder, who oversees the FTC’s Red Flags program, says patients shouldn’t notice much of a difference at the doctor’s office. They might be asked to show a photo ID when they arrive, but most of the changes will affect doctors behind the scenes.

She also notes that the extent of the policies a physician would need to put in place depends on the risk of identity theft at each particular office. A small office with a regular patient base, for example, is less likely to confront an imposter than an office that receives many walk-ins.

The ‘red flag’ regulations, which were developed under the Fair and Accurate Credit Transactions Act of 2003, actually went into effect on November 1, 2008. But beginning August 1, penalties will kick in. Creditors - including doctors or hospitals - could be slapped with a $3,500 fine for each "knowing violation" of the rule.

Broder says the FTC will monitor consumer complaints to look for any patterns of theft at a particular office to pursue investigations. But she adds that "at this early stage, we will be looking for good faith efforts at compliance."

Pam Dixon, executive director of the World Privacy Forum, says "the health care sector is where the financial sector was 10 to 15 years ago." As cost and incidence data emerged, officials in the financial sector realized they needed to take action. She believes the new protections are well worth the obligations the rule imposes.

"Ultimately it’s in the providers’ best interest to work on resolving this problem earlier than later," she says, adding that aside from being one of the most expensive forms of identity theft, the medical variety also is one of the most difficult types to remedy because a victim’s medical records can be nearly impossible to clear.

Elena Castro's fraudulent medical records under her social security number still remain in hospital files. And it's taken her years to completely clear her credit report. "It was very frustrating and a waste of my time," she says.

Theresa Fleming, another victim of medical identity theft in which a thief used her social security number to access emergency medical care, says she has called the hospital repeatedly to get her record expunged. "I felt so violated, it just feels so eerie," she says. "After you get this, you get very leery about everything."

Red Flag Toolkit for Physicians

The FTC requires all physician and dental practices to have completed "Red Flag Rule" procedures in place by August 1, 2009. Join thousands of other doctors and dentists in purchasing our cost-effective Red Flag Rule toolkit - bringing your practice into immediate compliance for only $79. What are you waiting for?

i-Comply's Red Flag Toolkit is specifically designed to be the ONLY solution your practice needs to be in compliance with the FTC regulations. While some companies offer extremely complex, expensive subscriptions or CD-ROM packages costing $500-$1000 per year or more, we think that is just exploiting the situation. The reality is that the FTC requires medical and dental practices to have a straightforward written policy for their office, and to have procedures in place to identify and mitigate identity theft. Our solution does just that, at a fraction of the price and requiring almost no effort or time to your practice.

FTC Red Flag Rule Guide

The FTC has published a guide to their Red Flag Rules. If you're interested in developing your own program, this guide is instrumental. For the average practice manager, you should expect to devote between 25-40 hours to properly develop your own Red Flag Policy and training program.

FTC Red Flag Rules for Physicians

The following is an article from the FTC website offering valuable information for Red Flag Rules for Physicians:

The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

by Steven Toporoff

As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe.

Medical identity theft happens when a person seeks health care using someone else’s name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.

The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Is your practice covered by the Red Flags Rule? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft?

WHO MUST COMPLY

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

SPOTTING RED FLAGS

The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your practice;
2. Explain your process for detecting them;
3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule — available atftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be relevant to health care providers:

• Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient.
• Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file or from the insurer, fraud could be afoot.
• Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.
• Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.
  

SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM

Once you’ve identified the red flags that are relevant to your practice, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If you’re notified that an identity thief has run up medical bills using another person’s information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesn’t have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.

WHAT’S AT STAKE

Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit ftc.gov/redflagsrule.

In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.

Questions about the Rule? Email info@redflagmd.com.

Steven Toporoff is an attorney with the FTC’s Division of Privacy & Identity Protection.

The new FTC Red Flag Rules

The following article is from the FTC website and provides valuable information regarding the new Red Flag Rules:

The “Red Flags” Rule: Are You Complying with New Requirements for Fighting Identity Theft?

by Tiffany George and Pavneet Singh

The expression “red flag” signals “Danger: Be alert to problems ahead.” For millions of consumers every year, identity theft is more than a threat — it’s their reality. The economic, psychological, and emotional harm to victims can be devastating. But businesses often bear the biggest part of the monetary damage from identity theft.

It’s everyone’s responsibility to do what they can to fight identity theft. But businesses and organizations that offer credit or other financial services can be the first to spot the red flags that signal the risk of identity theft, including suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, account numbers, and birth dates to open new accounts or raid existing ones.

Under the Red Flags Rule, which went into effect on January 1, 2008 *, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Are you covered by the Red Flags Rule? If so, have you put into place the new procedures the Rule requires?

Who Must Comply

Although every business or organization with an ongoing relationship with consumers should keep an eye out for the possibility of identity theft, the Red Flags Rule applies only to “financial institutions” and “creditors." To determine if your business or organization is covered by the Rule and required to develop a written identity theft Program, you’ll need to answer two questions:

1. Is your business or organization either a “financial institution” or “creditor,” as those terms are defined in the Rule?
2. If so, do you have “covered accounts”?

A “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks.

Your business or organization is a “creditor” if you regularly:

• extend, renew, or continue credit;
• arrange for someone else to extend, renew, or continue credit; or
• are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts.

The other is one for which there is a foreseeable risk of identity theft. For example, one type of account that should be considered for coverage because it may be vulnerable to identity theft is a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.

If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.

How To Comply

The Rule doesn’t tell you specifically what your red flags program must look like. Instead, it gives you flexibility to implement a program that best suits your business or organization, as long as it meets the Rule’s requirements.

Your starting point for developing a program is the Guidelines issued with the Red Flags Rule, available atwww.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. (The Guidelines are on pages 63773-63774 of the document.) The Guidelines list the issues you must consider in developing and maintaining a program appropriate for your business or organization. You also should draw on your own experience and knowledge about identity theft risks in developing your program.

There are four basic steps to designing a program to comply with the Rule:

1. Identify relevant red flags;
2. Detect red flags;
3. Prevent and mitigate identity theft; and
4. Update your program periodically.

In addition, your program must spell out how it will be administered. The program should be appropriate to the size and complexity of your company or organization, as well as the nature of your operations.

Identify Relevant Red Flags

Under the Rule, financial institutions and creditors with covered accounts must develop a written program to identify the warning signs of identity theft.

The Guidelines describe the following categories of warning signs — red flags — that your program must identify and address:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information;
• suspicious activity relating to a covered account; or
• notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable.

Detect Red Flags

Once you’ve identified the red flags that are relevant to your organization or business, you must establish policies and procedures to detect them in your day-to-day operations.

For example, you may spot red flags when you verify a consumer’s identity, authenticate customers, monitor transactions, or verify requests for changes of address. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events, say, a change of address coupled with the use of an address associated with fraudulent accounts.

Prevent and Mitigate Identity Theft

Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring an account, closing an account, not opening a new account, contacting the consumer when you spot a red flag, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events — such as a recent data breach, a phishing fraud that targeted your business or organization, or another suspicious activity — may raise the risk of identity theft and require specific preventive actions.

Update Your Program Periodically

Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.

Administering Your Program

No matter how good your program looks on paper, the true test is how it works. Your program must describe how it will be administered, including how you will get the approval of your management, maintain the program, and keep it current.

According to the Rule, your program must be approved by your Board of Directors or, if your business or organization doesn’t have a Board, by a senior employee. The Board or designated senior employee also must approve any material changes to the program. Your program should include staff training as appropriate, and provide a way for you to monitor the work of your service providers. The keys are to maintain oversight of the program, keep it relevant and current, and ensure that all necessary members of your staff — from the boardroom to the mail room — are on board. A program that stays in a filing cabinet isn’t a good program.

Penalties for Noncompliance

Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. But there’s an even more important reason for compliance: It’s just plain good business. It assures your customers that you are doing your part to fight identity theft.

Have questions about how health care providers can comply with the Rule? Email info@redflagmd.com.

Tiffany George and Pavneet Singh are attorneys in the Federal Trade Commission’s Division of Privacy and Identity Protection.

FTC and Privacy

Here's what the FTC has to say about "privacy."

Privacy is a central element of the FTC's consumer protection mission. In recent years, advances in computer technology have made it possible for detailed information about people to be compiled and shared more easily and cheaply than ever. That has produced many benefits for society as a whole and individual consumers. For example, it is easier for law enforcement to track down criminals, for banks to prevent fraud, and for consumers to learn about new products and services, allowing them to make better-informed purchasing decisions. At the same time, as personal information becomes more accessible, each of us - companies, associations, government agencies, and consumers - must take precautions to protect against the misuse of our information.

The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use and secure consumers' personal information. Under theGramm-Leach-Bliley Act, the Commission has implemented rules concerning financial privacynotices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting. The Commission also protects consumer privacy under the Fair Credit Reporting Act and the Children's Online Privacy Protection Act. Use the topic links on the left to read more about our efforts in each of these areas, including what we've learned, and what you can do to protect the privacy of your personal information.

Click the links for more information about HIPAA and Red Flag Rules.

The FTC has decided to grant an extension for complying with the Red Flag Rules to all companies, including medical practices, until August 1, 2009.

FTC Will Grant Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and
entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements,www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and a Web site with more resources to help covered entities design and implement identity theft prevention programs,www.ftc.gov/redflagsrule. The compliance template will be available on this Web site.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

HIPAA Facts

There is a flood of information regarding the Health Insurance Portablility and Accountability Act (HIPPA) available to practice managers.

The best site for information is HIPAA.org. This is a government-run site that has links to all the important documents and references for HIPAA. This is a good link if you're interested in detailed information regarding the HIPAA Privacy Rule.

A good commercial site that provides practice managers useful tools and information regarding HIPAA is the i-Comply corporate site.