Health Law Alert: Last Call for Red Flag Compliance Yes, Health Care Providers, This Means You

News & Events

Health Law Alert: Last Call for Red Flag Compliance Yes, Health Care Providers, This Means You

Alert Date: 04/24/2009

May 1st is the official date on which the Federal Trade Commission (FTC) will begin enforcing its Red Flag Rules, which requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or "red flags" – of identity theft in their day-to-day operations. Do these Red Flag Rules apply to you? If you are a health care provider, the answer is “Yes,” except in limited circumstances. The good news is that compliance is scaleable, meaning that your Identify Theft Program may be commensurate with the size and complexity of your organization (presumably, that is in turn, commensurate with the risk of identity theft involved). Even for larger providers, rolling out a simple but effective program can be done quickly and efficiently.

On the question of applicability, simply put, these rules apply to you as a health care provider if you are a “creditor” which offers or maintains “covered accounts.” A “creditor” is an entity which regularly accepts deferred payment for goods or services. A “covered account” is a consumer account that permits multiple payments or any other account for which there is a reasonably foreseeable risk of identity theft. Health care providers are viewed as “creditors” primarily because they routinely defer payment for services in order to bill the patient’s insurance company, or to later bill the patient pursuant to a payment plan. Furthermore, patient billing and medical records generally contain personal identifiers, including financial information, which would satisfy the catch-all definition of “covered accounts.”

Fortunately, there are many resources out there for those who find themselves in need of a quick fix. Both the AMA ( and the AHA ( have sample form policies and other resources available on their websites. Last month the FTC issued its guide, “Fight Fraud with the Red Flag Rules: A How-To Guide for Business” which is available on its website at Also, the regulations themselves include an appendix which identifies a number of examples of potential red flags. Be careful not to cram your square peg into a round hole; form policies are not “one size fits all”, and you will need to tailor any standardized form to fit your needs. The goal is to come up with a program that establishes a reasonable program for identifying, detecting and responding to potential “red flags” of identity theft.

A simple five step approach will get you where you need to be, or at least well on your way, as quickly as possible.

1.   Put someone in charge. Maybe it should be your Privacy or Security Officer; maybe it should be your Accounts Manager. Look at the size and complexity of your organization and ask yourself, who knows the most about our accounts, our information gathering, and our billing?
2.   After identifying the person to take charge of the process, that person should promptly assess (with the help of other knowledgeable persons in the organization if necessary) where your patients could be subject to identity theft, and what suspicious patterns or practices may tip you off to the possibility of identity theft. Some of the resources cited above may offer a useful outline for completing this self-analysis.
3.   Develop a program which a) identifies red flags particular to your organization, b) sets forth guidelines for detecting such red flags and c) outlines actions you will take when these red flags are identified. To use an example in the FTC’s Guide, you may decide that fake IDs are a potential problem. If so, your program should identify ways to detect possible fake, forged or altered IDs. Your program should also provide for periodic review of your security practices, and updating of your Identity Theft Program as needed.
4.   You must have the program approved by your Board or, if you don’t have a Board, by a high-level employee.
5.   Roll out the program through employee training; a well thought out, well written policy that no one follows because they have not been trained properly will not help and could hurt your organization.

This alert is intended to be a “last call” for compliance; the FTC’s enforcement date is fast approaching and with some quick guidance you still have time to meet the compliance deadline. Please feel free to contact us if you have any further questions about compliance with the Red Flag Rules or if you would like help fine tuning your program. Remember, an effective Identity Theft Program is not just necessary to comply with the FTC’s Red Flag Rules; it is also good business.