The Red Flag Rules, which had an original enforcement deadline of November 1, 2008, have left many health care providers including durable medical equipment (“DME”) suppliers blindsided. Fortunately, the Federal Trade Commission (FTC) delayed enforcement of the Red Flag Rules until August 1, 2009. However, even with this additional time, many DME suppliers have no idea what the Red Flag Rules are and how their companies are affected.
Implemented by the FTC and five other federal agencies that generally oversee financial institutions, the Red Flag Rules require creditors of covered accounts to implement an identity theft prevention program. Like many Federal regulations the definitions of “creditor” and “covered account” are so broadly defined in the regulations, health care providers that do not collect amounts due from patients up front at the time services are rendered are subject to the Red Flag Rules.
Under the Red Flag Rules, a “creditor” is any person or entity that “regularly extends, renews, or continues credit” with a “covered account.” The Rules define “credit” as “the right granted by a creditor to a debtor to defer payment of debt or … to purchase … services and defer payment therefor.” A “covered account” is (1) an account primarily for personal, family, and household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft.
Providers have tried to argue that that they do not act as “creditors” simply by deferring payment beyond the date that services are rendered. However, statements made by FTC representatives, indicate that it is the FTC’s position that a health care provider falls within the definition of “creditor” if it has a regular business practice of not requiring all patients to pay the patient-responsibility portion for health care goods or services in full at the time such goods or services are provided. Accepting a credit card from a patient as a form of payment does not, itself, make the health care provider a creditor. Patient account balances would also be considered by the FTC to meet the definition of “covered accounts” since the account relates to a personal or family purpose and because they typically involve or permit multiple payments by the patient. The bottom line is that any DME supplier that does not collect co-payments and deductibles at the time of delivery should consider itself covered by the Red Flag Rules.
The Red Flag Rules require a creditor to develop and implement a written program to detect, prevent, and mitigate the effects of, identity theft. The Red Flag Rules and guidelines can be found at 12 C.F.R. § 334.90 and Appendix J to Part 334. Publication of the Red Flag Rules and comments in the Federal Register can be found at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. The rules allow for some flexibility in that a health care provider may design and implement a program that is appropriate to its size and complexity, as well as the nature of its operations. The program, however, must address each of the elements in the Rules.
First, Red Flags must be identified. “Red Flags” are patterns, practices or specific activities that indicate the possible existence of identity theft. A creditor should consider the following factors in identifying relevant Red Flags for covered accounts: (1) the types of covered accounts it offers or maintains; (2) the methods it provides to open its covered accounts; (3) the methods it provides to access its covered accounts; and (4) its previous experiences with identity theft. The FTC provided 26 examples of possible Red Flags in a supplement included with the Rules. These examples fall into five categories: (1) alerts, notifications, or warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious personally identifying information, such as a suspicious address; (4) unusual or suspicious activity relating to a covered account; and (5) notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. DME suppliers should also focus on Red Flags related to medical identity theft, which involves
someone using another person’s name and insurance information in order to obtain covered medical services.
A supplier’s policies and procedures should also address the detection of Red Flags in connection with covered accounts, such as by obtaining identifying information about, and verifying the identity of, a person opening a covered account, and authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.
A supplier’s Red Flag policies and procedures should provide for appropriate responses to the Red Flags that the creditor has detected in order to prevent and mitigate identity theft, commensurate with the degree of risk posed. Appropriate responses may include monitoring a covered account, contacting the customer, not opening a new covered account, not attempting to collect on a covered account, or notifying law enforcement.
Suppliers should update their programs (including relevant Red Flags) periodically, to reflect changes in risks to customers or to the safety and soundness of the health care provider from identity theft. Updates should be based on factors such as changes in methods of identity theft and methods to detect, prevent, and mitigate identity theft or changes in the supplier’s business systems.
The Red Flag Rules require that the board of directors (or a board committee) approve the initial written identity theft program. Afterwards, the board, board committee, or a designated senior management employee, must be directly involved in the oversight, development, implementation, and administration of the program.
Finally, a supplier’s Red Flag policies and procedures must include training and reporting requirements. The supplier is required to train staff, as necessary, to effectively implement the program. Additionally, staff responsible for development, implementation, and administration of the program should report to the board of directors, a board committee, or a designated senior management employee, at least annually. The report should address material matters related to the program and evaluate issues such as the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, significant incidents involving identity theft and management’s response; and recommendations for material changes to the program.
The deadline to comply with the Red Flag Rules was May 1, 2009. This has once again been extended and those affected have until August 1, 2009 to comply. There are no criminal penalties for failing to comply with the Red Flags Rules, but creditors that violate the Rules may be subject to civil money penalties. The FTC may impose civil money penalties (up to $2,500 per violation) for knowing violations of any Rules that constitute a pattern or practice. Additionally, victims of identity theft can sue to recover actual damages sustained from a violation of the Red Flag Rules.
A supplier that was previously unaware of the Red Flag Rules need not panic. The provider’s HIPAA Privacy and Security policies may already address several of the elements required by the Red Flag Rules. In addition, most DME companies who have become accredited or are undergoing the accreditation process should have appropriate policies and procedures in place to comply with the Red Flag Rules. If they have not done so already, a DME company that does not collect co-pays and deductibles at the time equipment is delivered should take steps to design an identity theft prevention program that meets the requirements of the Red Flag Rules and obtain approval of the program by its board or a board committee.
Reprinted with permission. Denise M. Fletcher, Esq., is an attorney with the Health Care Group of Brown & Fortunato, P.C. Ms. Fletcher is Board Certified in Health Law by the Texas Board of Legal Specialization. She can be reached at (806) 345-6318 or dfletcher@bf-law.com.