Business Counsel Services

Red-Flag Rules: Really? New Rules Being Applied to the Health Care Industry That Don’t Reference Health Care


Identity theft is a problem that seriously disrupts the lives of its victims. The unauthorized use of personal identifying information can result in drained accounts, unauthorized debt and damaged credit.

Identity theft is not only a problem that affects individuals, but also affects businesses. In the health care industry, identity theft may take the form of identity information being stolen from the business or medical identity theft. Medical identity theft occurs when the services are used by someone possessing stolen information. Medical identity theft can have a significant negative impact. First, it can result in false entries made to medical histories and the creation of fictitious records for the victim leading to improper medical treatment or denial or exhaustion of health insurance. Second, and most important to health care providers, it could result in liability to: (1) the federal government and health insurance companies, requiring the health care provider to pay reimbursement for services rendered to someone other than the insured; or (2) victims of identity theft who seek legal recourse against the health care provider.

Despite the abundance of regulation currently focused on the health care industry, the government elected to utilize regulations from the Federal Trade Commission (“FTC”) to combat the issues described above. As a reminder, the FTC’s general purpose is to be a consumer protection agency and not a health care agency. Nonetheless, the FTC has applied financial institution and creditor regulations to a physician’s practice using the Red Flag Rules (“Rules”) created as part of The Fair and Accurate Credit Transactions Act of 2003.

What are the Red-Flag Rules?

The Rules require each financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written identity theft prevention program. This program must be designed to detect, prevent, and mitigate identity theft. Essentially, the Government is asking businesses to police their clients.

How Do the Rules Apply to the Health Care Industry?

It is important to note that the applicability of the Rules does not depend on the industry or sector despite the use of such terms as “financial institutions” or “creditors.” The determination is made based on whether your activities fall within the relevant definitions. It is here that a health care provider may be subject to the Rules.

The first relevant definition to consider is whether you’re a “creditor.” A creditor is defined as any person who regularly extends, renews, or continues credit. This definition includes businesses that regularly defer payment for services or provide services and bill customers later. Examples of practices that would qualify as a creditor are (1) regularly billing patients after the completion of service, including the remainder of medical fees not reimbursed by insurance; (2) regularly allowing patients to set up payment plans after services have been rendered; and (3) assisting patients in getting credit from other sources. However, if you require full payment before or at the time of services or accept direct payment only from Medicaid, you are not a creditor. The acceptance of credit cards as a form of payments does not make you a creditor.

The second relevant definition to consider is whether you have “covered accounts.” Covered accounts can be: (1) accounts that creditors offer or maintain (primarily for personal, family or household purposes) that involve or are designed to permit multiple payments or transactions (i.e., patient billing accounts); and (2) any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft (i.e., patient records).

If you do not meet these definitions, then you can relax and worry only about the other countless state and federal regulations applicable to you. However, if you find that you meet both definitions, then you should begin the process to set up the written program.

How Do You Set Up a Prevention Program?

The Rules are broad in terms of defining the type of program that must be in place and allow for flexibility in the design of the program. A program must be appropriate to the size and complexity of your business and the nature and scope of its activities. The Rules provide guidelines to assist in the development and maintenance of a program that complies with the Rules. Although the guidelines must be considered, only those that are appropriate should be included.

Essentially, the program should include policies and procedures to: (1) identify relevant patterns, practices, and specific forms of activity that indicate the possible existence of identity theft (“Red Flags”); (2) detect Red Flags; (3) respond to Red Flags in order to prevent and mitigate identity theft; and (4) update the program periodically to reflect changes in risk from identity theft. Unfortunately, this broad language makes it difficult to predict what the program should contain without reviewing the activities of the business. Even then, it is likely that small tweaks will be necessary over time to address varying issues that arise. Every program is going to be different, and each will be tailored to address its unique business activities.

What Are the Consequence for Not Complying?

Entities that fail to comply with the Rules may be fined $2,500 per violation; however, the scope of “violation” is unclear and so it is uncertain how this fine will be applied. In addition, it is possible that entities will be required to comply with consent decrees or settlement agreements for future monitoring by, and reporting to, the FTC.

When do the Rules Become Effective?

The Rules have been in effect since January 1, 2008, and were to begin being enforced August 1, 2009. However, due to protests from several groups, including the American Medical Association, the enforcement date has been delayed until November 1, 2009. While the FTC maintains that the delay was not in response to these protests and has continually maintained the position that doctors are subject to the Rules, it will be an interesting three-month period to see if they change their position, or if the Rules are delayed again. But health care providers should proceed under the assumption that the Rules will be enforced against the health
care industry beginning November 1, 2009.


Despite the issues discussed above, health care providers should not begin panicking at the thought of scrambling to satisfy the Rules if the Rules are enforced as the FTC intends. Given the numerous state and federal law requirements already burdening health care providers, many providers are likely to have existing policies and procedures in place that essentially accomplish what the Rules require. Small adjustments and some written documentation are likely to be the only tasks health care providers are faced with. Health care providers should consult with legal counsel to monitor the discussion surrounding the Rules and review their policies and procedures to update them accordingly.

By Michael S. Byrd and Bradford E. Adatto