On December 4, 2003, the Fair and Accurate Credit Transactions Act of 2003 was signed into law. As part of this Act, in November 2007, the Federal Trade Commission ("FTC") created the Red Flag Rules ("Rules") to combat prevailing identity theft issues. Ultimately this resulted in the FTC applying financial institution and creditor regulations to a physician's practice to combat identity theft within the health care industry.
This article is intended to provide a summary of the Rules and an update on the status of the enforcement of the Rules. Our previous article in the SettlePou Newsletter, August 2009, Volume 6, Issue 3, provides a more in-depth look into the Rules.
Summary of the Rules
The Rules require financial institutions or creditors that offer or maintain one or more covered accounts to develop and implement written identity theft prevention programs.
A creditor is defined as any person who regularly extends, renews, or continues credit, including businesses that regularly defer payment for services or.provide services and bill customers later. As you can see, this expansive definition can cover health care providers who engage in practices such as (I) regularly billing patients after the completion of service, including for the remainder of medical fees not reimbursed by insurance; (2) regularly allowing patients to set up payment plans after services have been rendered; and (3) assisting patients in getting credit from other sources. Covered accounts can be: (I) accounts that creditors offer or maintain-primarily for personal, family or household purposes-that involve or are designed to permit multiple payments or transactions (i.e., patient billing accounts); and (2) any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft (i.e., patient records). It is because of these broad definitions that health care providers may become subject to the Rules.
Once a health care provider falls within the scope of the Rules, they are required to establish programs that detect, prevent, and mitigate identity theft. Our previous article further examines the fundamentals to establishing a prevention program.
Entities that fail to comply with the Rules may be fined $2,500 per violation; however, the scope of "violation" is unclear and so it is uncertain how this fine will be applied. In addition, it is possible that entities will be required to comply with consent decrees or settlement agreements for future monitoring by and reporting to the FTC.
Status of the Rules
The Rules have been in effect since January 1, 2008 and had an original compliance date of November 1, 2008. However, as may not be too surprising, this compliance date has subsequently been delayed numerous times, including twice since our previous article (three times if you count the delay issued immediately prior to publishing the Newsletter). Currently, the new compliance date is December 31, 2010. The American Medical Association ("AMA") is continuing to voice its objections to the FTC regarding the Rules' applicability to health care providers. However, the FTC remains steadfast that the delays are not in response to these protests and doctors are subject to the Rules.
Once again, given the numerous state and federal law requirements already burdening health care providers, providers are likely to have existing policies that can be utilized as the foundation of a program that will satisfy the Rules. Health care providers should monitor the discussion surrounding the Rules and review their policies and procedures to update them accordingly.