Do healthcare providers have to comply with the Red Flags Rule? The answer is, it depends.
In 2007, Congress passed the Red Flags Rule, a piece of legislation that, when implemented, will have a tremendous impact on how businesses and professionals maintain and protect data and information. The Red Flags Rule requires that all organizations subject to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) develop and implement a formal, written and revisable "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft.
The regulation will be enforced by the Federal Trade Commission (FTC), all federal bank regulatory agencies and the National Credit Union Administration. The implementation of the regulation has been continuously postponed, most recently until December 31, 2010.
The Red Flags Rule, as originally adopted, applies to financial institutions and creditors with covered accounts. Under the Red Flags Rule, a covered account is any account for which there is a foreseeable risk of identity theft, including credit card accounts, cell phone accounts, checking accounts and most types of savings accounts, to name a few.
What makes the original Red Flags Rule so encompassing, however, is its applicability to creditors, originally defined as:
- any entity with covered accounts that regularly extends, renews or continues credit,
- any entity that regularly arranges for the extension, renewal or continuation of credit, or
- any assignee of an original creditor that is involved in the decision to extend, renew or continue credit.
Based upon this definition, physicians and other healthcare providers would be expected to comply. Numerous lawsuits were filed on their behalf, arguing that the legislation should not apply to them merely because they did not receive payment at the time they administered services. In addition, while the healthcare industry acknowledged that medical identity theft is a major concern, doctors and physicians argued that HIPAA and other regulations already safeguarded patient data.
To address these concerns, Congress recently passed the Red Flag Program Clarification Act of 2010 (Clarification Act) to limit the scope of the Red Flags Rule.
In particular, the Clarification Act redefined "creditor" to be an entity that regularly, and in the ordinary course of business, (i) obtains or uses consumer reports, directly or indirectly in a transaction; (ii) furnishes information to consumer reporting agencies in connection with a credit transaction or (iii) advances funds to a person based on an obligation of the person to repay the funds.
Specifically excluded from the definition is a creditor (e.g., a healthcare provider) that advances funds for expenses related to services provided by the creditor to the person (e.g., a patient) who actually received the services. Many professionals who originally would have had to comply with the Red Flags Rule are now exempt. Furthermore, the exclusion is consistent with the background information provided with the Clarification Act in which Congress states that the original Red Flags Rule included lawyers, physicians, veterinarians and other small businesses for whom compliance would have resulted in an unnecessary cost burden.
Not a Blanket Exemption
The Clarification Act does not, however, provide a blanket exemption for healthcare providers. Therefore, it is important to carefully review the revised definition of creditor. Many healthcare providers regularly obtain or use consumer reporting data or furnish information to consumer reporting agencies. As a result, they are considered creditors under the Clarification Act and still need to comply with the Red Flags Rule.
By December 31, 2010, healthcare businesses and professionals that are not exempt must have developed a written program that identifies and detects the warning signs of identity theft. These "red flags" include:
- Alerts, notifications or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of or suspicious activity relating to a covered account
- Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts
The written program must describe appropriate responses to these red flags and detail a plan to update the program. Furthermore, it must be managed by a board of directors, include appropriate staff training and provide for oversight of any service providers used by the business.
Many healthcare providers already have general risk policies and procedures in place, but even those may not pass muster under the Red Flags Rule. In fact, the final regulation requires a separate Identity Theft Prevention Program, although it can reference other policies and procedures already in place to avoid unnecessary duplication.
The Red Flags Rule does not require healthcare providers to be perfect in order to be in compliance. If the FTC or other governing agency raises an issue, they will have an opportunity to show that they made a "reasonable effort" to comply with the regulation. Failure to comply may result in agency-imposed sanctions, lawsuits and damage to their reputation.
For general information about the Red Flags Rule, visit the news section of the FTC's website (http://www.ftc.gov/opa/2007/10/redflag.shtm) and its How-To Guide for Business (http://www.ftc.gov/redflagsrule). For legal advice regarding a particular situation, healthcare providers should consult with their attorneys.
Kevin J. Ryan, Chair of the Health Care Law group at Chicago-based Much Shelist, concentrates his practice on legal and regulatory issues facing the health care industry. His clients include hospitals, nursing homes, surgery centers and physician groups. He can be reached at 312-521-2429, or firstname.lastname@example.org.