Getting in Compliance with the FTC Red Flags Rule as May 1st Enforcement Date Approaches
In November 2007, the Federal Trade Commission (the "FTC") released a final rule that requires certain organizations to implement an identity theft prevention program.1 This rule is known as the Red Flags Rule since it requires financial institutions and creditors to look for "red flags" that signal possible identity theft. Despite opposition from the American Medical Association and several medical associations (collectively, the "AMA"), the FTC recently confirmed its position that physicians and other health care providers are likely to be considered creditors and subject to the Red Flags Rule. The FTC may impose civil penalties in the event of a knowing violation, which constitutes a pattern or practice of violations of the Red Flags Rule. In addition, State Attorneys General also have authority to recover damages for violations of the Rule, including costs and attorney fees.
The Red Flags Rule was effective January 1, 2008 and the mandatory enforcement date was originally November 1, 2008. The FTC suspended enforcement of the Rule until May 1, 2009.2 Given the impending enforcement date and the FTC's re-stated position in the FTC's recently published "Fighting Fraud With the Red Flags Rule How-To Guide for Business" that the Red Flags Rule may apply to health care providers, this Provider Alert is intended to remind providers of the Red Flags Rule requirements.3 We are available to provide assistance in the crafting of Red Flags Rule compliance and implementation measures and preparing required modifications to providers' contracts with vendors.
The Red Flags Rule requires that "financial institutions" and "creditors" that offer or maintain "covered accounts," develop and implement a program to identify, detect, and respond to identity theft (the "Program"). A health care provider is most likely not a financial institution.4 So is a health care provider a creditor? The devil is in the details - or here - in the definition of a "creditor."
Definition of a Creditor. At first blush it seems unlikely that a health care provider is a creditor under the Red Flags Rule. The FTC provides the following definition:
Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.5
There appears to be little in common between these industries and the provision of health care services. This definition, however, also refers to the definition of creditor in the Equal Credit Opportunity Act ("ECOA"): "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."(emphasis added)6 Credit is defined as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore." (emphasis added)7 A broad reading of these definitions can implicate health care providers.
FTC and AMA Disagree. The FTC interprets the definition of creditor broadly: if a health care provider regularly bills his or her patients after services are rendered, the health care provider is a creditor. The FTC explains that health care providers are creditors when they submit a claim to a health insurance carrier and defers the patients' share of medical expenses.8 This may be limited to a patient's co-insurance or deductible, or may include any services that are not covered by the health insurance carrier.9 In a recent letter to the AMA, the FTC explained "professionals, including physicians, who regularly bill their clients, customers, or patients for their services after those services are rendered, are 'creditors' under the ECOA."10 The AMA disagrees.
The AMA believes that the FTC is taking an overly broad reading of the definition of creditor and point to several cases that interpret creditor more narrowly. The AMA also contends that the physician community did not have an opportunity to comment on the application of the Red Flags Rule to physicians during the rule making process. The AMA requests that the FTC publish a new rule that proposes to subject physicians to the Red Flags Rule, thereby allowing physicians (and other health care providers) ample opportunity for review and comment.
Definition of Covered Account. A "creditor" must comply with the Red Flags Rule if he or she offers or maintains "covered accounts." There are two types of covered accounts. The first are accounts offered or maintained by the creditor that are for personal, family or household purposes that involve multiple payments or transactions.11 These include accounts with patients. The second type is accounts offered or maintained for which a foreseeable risk is associated with how the account may be opened or accessed. This may include a business-to-business account.12 If a health care provider is a creditor as defined in the Rule, and as the FTC suggests it could be, such a provider most likely offers or maintains covered accounts and must develop and implement a Program.
Red Flags Rule Program Requirements
The Red Flags Rule requires that creditors that offer or maintain covered accounts must include four basic elements in the Program. The Program must contain policies and procedures to:
- Identify red flags and incorporate them into the Program;
- Detect red flags;
- Respond appropriately to red flags that are detected to prevent and mitigate identity theft; and
- Update the Program periodically.
Identify Red Flags. A creditor is required to identify relevant red flags for covered accounts. The Red Flags Rule includes a list of red flags that must be considered. Examples of possible applicable red flags include:
- During registration the patient identification is inconsistent with the patient name (e.g., drivers license has different last name than provided by patient);
- During registration the patient provides suspicious documents, such as a fake ID or insurance card; and
- The patient complains that he or she received an explanation of benefits for services not received.
Detect Red Flags. Once the health care provider has identified red flags, the provider must take steps to detect them. For example, the health care provider could request identification, such as a driver's license, to confirm the identity of new patients.
Prevent and Mitigate Identity Theft. If a possible identity theft is detected, the health care provider should take steps to prevent or mitigate the identity theft. This could include investigating the matter or notifying law enforcement officials.
Update the Program. The Program should be updated periodically to reflect changes in risks to customers or to the safety and soundness of the health care provider.
A board of directors, an appropriate committee of the board of directors, or if you do not have a board, someone in senior management (collectively, the "Board") must approve the initial Program.13 The Board or a designated employee at the level of senior management should have responsibility for oversight, development, implementation and administration of the Program.14 If the health care provider engages a service provider to perform an activity in connection with a covered account, the provider must perform oversight.15 While not required, this may be accomplished through a service provider agreement or amendment to an existing agreement. In addition, all staff in a position to identify red flags should be trained on the Program.16
What You Should Do Now
In a March 9th letter to the FTC, the AMA requested that the FTC publish a new rule that proposes to specifically subject physicians to the Red Flags Rule.17
The AMA explained that a new proposed rule will provide physicians with an opportunity to comment on the Red Flags Rule's application to physicians. In the interim, the AMA urges the FTC to suspend the application of the Red Flags Rule to physicians. Since the FTC has already extended the enforcement date, it seems likely that the FTC will reject the AMA's request. And with May 1st quickly approaching, physicians and other health care providers do not have much time.
Health care providers may begin by considering the following:
- Are you a creditor?
- Do you offer or maintain covered accounts?
- Are any of the red flags applicable to your practice? Review the FTC's list of red flags.
- What can you do to identify these red flags? Do you require photo identification when the patient completes a new patient intake form?
- Do you have protocols in place to address, prevent, or mitigate identity theft? What if a patient complains that his explanation-of-benefits is inaccurate?
The Program should be appropriate to the size and complexity of the health care provider.18 As an example, a medical practice with a large population is more likely to confront identity theft and is expected to develop a more robust Program. Alternatively, a small, community-based practice may implement a more limited Program. But regardless of the providers' size, if a health care provider is a creditor and opens or maintains covered accounts, the provider must develop and implement a Program before May 1st. Let us know if you have any questions or if we can help you in crafting a compliant Program.
1 72 Fed. Reg. 63717, 63771-63775 (Nov. 9, 2007) (codified at 16 C.F.R. Part 681).
2 The enforcement delay does not apply to the address discrepancy and credit card issuer rules. These rules are not addressed in this Provider Alert.
3 A copy of "Fighting Fraud With the Red Flags Rule A How-To Guide for Business," published by the FTC on April 3, 2009, is available at: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf.
4 See 15 U.S.C. § 1681a(t). A "financial institution" means a state or national bank or savings and loan association, mutual savings bank, state or federal credit union or person that holds a transaction account.
5 16 C.F.R. § 681.2(b)(5).
6 15 U.S.C. § 1691a(e).
7 15 U.S.C. § 1691a(d).
8 Letter from Eileen Harrington, Acting Dir. Of Bureau of Consumer Protection, FTC, to Margaret Garikes, Dir. of Federal Affairs, AMA (Feb. 4, 2009), available at: http://www.ftc.gov/os/closings/staff/090204amaresponse.pdf. (the “FTC Feb. Letter”).
9 FTC Feb. Letter, p. 6.
11 16 C.F.R. § 681.2(b)(3)(i).
12 16 C.F.R. § 681.2(b)(3)(ii).
13 16 C.F.R. § 681.2(e)(1).
14 16 C.F.R. § 681.2(e)(2).
15 16 C.F.R. § 681.2(e)(4).
16 16 C.F.R. § 681.2(e)(3).
17 Letter from Michael D. Maves, MD, MBA, Executive Vice President, CEO, AMA to Hon. Jon Leibowitz, Chairman, FTC (March 9, 2009), available at: http://www.ama-assn.org/ama1/pub/upload/mm/399/administration-red-flag-letter.pdf.
18 16 C.F.R. § 681.2(d)(1).
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.