FTC Red Flag Rules for Physicians

The following is an article from the FTC website offering valuable information for Red Flag Rules for Physicians:

The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

by Steven Toporoff

As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe.

Medical identity theft happens when a person seeks health care using someone else’s name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.

The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Is your practice covered by the Red Flags Rule? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft?

WHO MUST COMPLY

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

SPOTTING RED FLAGS

The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your practice;
2. Explain your process for detecting them;
3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule — available atftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be relevant to health care providers:

• Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient.
• Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file or from the insurer, fraud could be afoot.
• Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.
• Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.
  

SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM

Once you’ve identified the red flags that are relevant to your practice, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If you’re notified that an identity thief has run up medical bills using another person’s information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesn’t have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.

WHAT’S AT STAKE

Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit ftc.gov/redflagsrule.

In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.

Questions about the Rule? Email info@redflagmd.com.

Steven Toporoff is an attorney with the FTC’s Division of Privacy & Identity Protection.

The new FTC Red Flag Rules

The following article is from the FTC website and provides valuable information regarding the new Red Flag Rules:

The “Red Flags” Rule: Are You Complying with New Requirements for Fighting Identity Theft?

by Tiffany George and Pavneet Singh

The expression “red flag” signals “Danger: Be alert to problems ahead.” For millions of consumers every year, identity theft is more than a threat — it’s their reality. The economic, psychological, and emotional harm to victims can be devastating. But businesses often bear the biggest part of the monetary damage from identity theft.

It’s everyone’s responsibility to do what they can to fight identity theft. But businesses and organizations that offer credit or other financial services can be the first to spot the red flags that signal the risk of identity theft, including suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, account numbers, and birth dates to open new accounts or raid existing ones.

Under the Red Flags Rule, which went into effect on January 1, 2008 *, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Are you covered by the Red Flags Rule? If so, have you put into place the new procedures the Rule requires?

Who Must Comply

Although every business or organization with an ongoing relationship with consumers should keep an eye out for the possibility of identity theft, the Red Flags Rule applies only to “financial institutions” and “creditors." To determine if your business or organization is covered by the Rule and required to develop a written identity theft Program, you’ll need to answer two questions:

1. Is your business or organization either a “financial institution” or “creditor,” as those terms are defined in the Rule?
2. If so, do you have “covered accounts”?

A “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks.

Your business or organization is a “creditor” if you regularly:

• extend, renew, or continue credit;
• arrange for someone else to extend, renew, or continue credit; or
• are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts.

The other is one for which there is a foreseeable risk of identity theft. For example, one type of account that should be considered for coverage because it may be vulnerable to identity theft is a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.

If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.

How To Comply

The Rule doesn’t tell you specifically what your red flags program must look like. Instead, it gives you flexibility to implement a program that best suits your business or organization, as long as it meets the Rule’s requirements.

Your starting point for developing a program is the Guidelines issued with the Red Flags Rule, available atwww.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. (The Guidelines are on pages 63773-63774 of the document.) The Guidelines list the issues you must consider in developing and maintaining a program appropriate for your business or organization. You also should draw on your own experience and knowledge about identity theft risks in developing your program.

There are four basic steps to designing a program to comply with the Rule:

1. Identify relevant red flags;
2. Detect red flags;
3. Prevent and mitigate identity theft; and
4. Update your program periodically.

In addition, your program must spell out how it will be administered. The program should be appropriate to the size and complexity of your company or organization, as well as the nature of your operations.

Identify Relevant Red Flags

Under the Rule, financial institutions and creditors with covered accounts must develop a written program to identify the warning signs of identity theft.

The Guidelines describe the following categories of warning signs — red flags — that your program must identify and address:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information;
• suspicious activity relating to a covered account; or
• notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable.

Detect Red Flags

Once you’ve identified the red flags that are relevant to your organization or business, you must establish policies and procedures to detect them in your day-to-day operations.

For example, you may spot red flags when you verify a consumer’s identity, authenticate customers, monitor transactions, or verify requests for changes of address. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events, say, a change of address coupled with the use of an address associated with fraudulent accounts.

Prevent and Mitigate Identity Theft

Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring an account, closing an account, not opening a new account, contacting the consumer when you spot a red flag, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events — such as a recent data breach, a phishing fraud that targeted your business or organization, or another suspicious activity — may raise the risk of identity theft and require specific preventive actions.

Update Your Program Periodically

Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.

Administering Your Program

No matter how good your program looks on paper, the true test is how it works. Your program must describe how it will be administered, including how you will get the approval of your management, maintain the program, and keep it current.

According to the Rule, your program must be approved by your Board of Directors or, if your business or organization doesn’t have a Board, by a senior employee. The Board or designated senior employee also must approve any material changes to the program. Your program should include staff training as appropriate, and provide a way for you to monitor the work of your service providers. The keys are to maintain oversight of the program, keep it relevant and current, and ensure that all necessary members of your staff — from the boardroom to the mail room — are on board. A program that stays in a filing cabinet isn’t a good program.

Penalties for Noncompliance

Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. But there’s an even more important reason for compliance: It’s just plain good business. It assures your customers that you are doing your part to fight identity theft.

Have questions about how health care providers can comply with the Rule? Email info@redflagmd.com.

Tiffany George and Pavneet Singh are attorneys in the Federal Trade Commission’s Division of Privacy and Identity Protection.