Business Counsel Services

Red Flag Rules — Update on Impact to Health Care Industry

On December 4, 2003, the Fair and Accurate Credit Transac­tions Act of 2003 was signed into law. As part of this Act, in November 2007, the Federal Trade Commission ("FTC") created the Red Flag Rules ("Rules") to combat prevailing identity theft issues. Ultimately this resulted in the FTC apply­ing financial institution and creditor regulations to a physi­cian's practice to combat iden­tity theft within the health care industry. 

This article is intended to pro­vide a summary of the Rules and an update on the status of the enforcement of the Rules. Our previous article in the Set­tlePou Newsletter, August 2009, Volume 6, Issue 3, pro­vides a more in-depth look into the Rules.

 Summary of the Rules

The Rules require financial in­stitutions or creditors that of­fer or maintain one or more covered accounts to develop and implement written identity theft prevention programs.

A creditor is defined as any person who regularly extends, renews, or continues credit, including businesses that regu­larly defer payment for ser­vices or.provide services and bill customers later. As you can see, this expansive defini­tion can cover health care providers who engage in prac­tices such as (I) regularly bill­ing patients after the comple­tion of service, including for the remainder of medical fees not reimbursed by insurance; (2) regularly allowing patients to set up payment plans after services have been rendered; and (3) assisting patients in getting credit from other sources. Covered accounts can be: (I) accounts that creditors offer or maintain-primarily for personal, family or household purposes-that involve or are designed to permit multiple payments or transactions (i.e., patient billing accounts); and (2) any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft (i.e., patient records). It is because of these broad defini­tions that health care provid­ers may become subject to the Rules.

Once a health care provider falls within the scope of the Rules, they are required to establish programs that de­tect, prevent, and mitigate identity theft. Our previous article further examines the fundamentals to establishing a prevention program.

Entities that fail to comply with the Rules may be fined $2,500 per violation; however, the scope of "violation" is unclear and so it is uncertain how this fine will be applied. In addition, it is possible that entities will be required to comply with consent decrees or settlement agreements for future monitoring by and re­porting to the FTC.

Status of the Rules

The Rules have been in effect since January 1, 2008 and had an original compliance date of November 1, 2008. However, as may not be too surprising, this compliance date has sub­sequently been delayed numerous times, including twice since our previous article (three times if you count the delay issued immediately prior to publishing the Newsletter). Currently, the new compli­ance date is December 31, 2010. The American Medical Association ("AMA") is con­tinuing to voice its objections to the FTC regarding the Rules' applicability to health care providers. However, the FTC remains steadfast that the delays are not in response to these protests and doctors are subject to the Rules.


Once again, given the numer­ous state and federal law re­quirements already burdening health care providers, provid­ers are likely to have existing policies that can be utilized as the foundation of a program that will satisfy the Rules. Health care providers should monitor the discussion sur­rounding the Rules and review their policies and procedures to update them accordingly.

By Michael S. Byrd and Bradford E. Adatto

Leave a Reply