Red Flags on May 1:
FTC Rules for Detecting Identity Theft Go Into Effect

By Jeff Drummond

Before the fall of the Soviet Union, May Day usually meant parades of military hardware, stone-faced Communists atop Lenin's tomb, and plenty of red flags all around the Kremlin. On May 1, 2009, a different sort of "red flag" will assume importance when the FTC's new Red Flags Rule comes into effect.

In November 2007, in response to a mandate from Congress in the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Federal Trade Commission (FTC) published rules requiring financial institutions and "creditors" to recognize and deal with identity theft. The regulations, called the Red Flags Rule, require covered entities to develop and implement a written Identity Theft Prevention Program (Program) designed to identify, detect, and respond to identity theft threats. Any such Program should be constructed to recognize the "red flags" that might alert a covered entity to the fact that identity theft is ongoing with respect to one of its customers.

The Red Flags Rule applies to financial institutions and "creditors." "Creditor" is defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." "Credit" is "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore." To the extent a financial institution or creditor offers or maintains a "covered account" (a continuing financial relationship "that involves multiple payments or transactions" or "for which there is a reasonably foreseeable risk to customers...from identity theft"), it must abide by the Red Flags Rule.

This language is plainly intended to include banks and other financial institutions that lend money to customers as well as companies that sell items on installment terms, such as car dealers, appliance stores, and the like. What is not clear is whether this language includes physicians, hospitals, and other health care providers. It would seem reasonable that a nursing home, to the extent it maintains accounts for its residents where payment is made on a monthly basis, would likely qualify. But what about a physician's office or hospital, where services are provided before payment is received? A strong argument could be made that, unless a physician's office or hospital regularly establishes payment plans for its patients, it is not a "creditor" and the Red Flags Rule is inapplicable.

In September 2008, the American Medical Association (AMA), along with a handful of other health care organizations, sought clarification from the FTC that medical providers would not be "creditors" under the Red Flags Rule unless they expressly engaged in the extension of credit or offered payment terms to patients. The FTC responded with a letter dated February 4, 2009, stating almost categorically that physicians and other health care providers are "creditors" simply because they don't receive full payment at the time services are provided. The AMA, joined by the medical associations of all 50 states and the District of Columbia, along with as many physician specialty societies, responded on February 23 with a strongly worded letter vehemently disagreeing with the FTC's conclusions and demanding that if the FTC was going to categorically apply the Red Flags Rule to physicians, it must do so by the publication of new regulations and allow for public comment. The FTC has yet to respond to the physicians' February 23 letter.

As drafted, the Red Flags Rule does not seem to be designed to apply to physicians and hospitals, unless they regularly set up payment plans for their patients. The regulations specifically discuss credit card accounts, utility accounts, mortgage and auto loans, and cell phone accounts. While that listing is not intended to exclude any other industries, the simple fact that physicians provide their services before they submit a bill to the patient isn't necessarily an extension of credit; if that were the criteria, a restaurant would be a "creditor" if your waiter brought the bill after you ate, rather than before. Also, most of the illustrative red flags provided in the supplement to the regulations do not seem to correlate to the usual business operations of a hospital of physician's office.

However, it appears that the FTC is set in its determination to apply the Red Flags Rule to physicians and hospitals. And since the Red Flags Rule is not a rigid set of policies and procedures – but rather is "scalable" – and since the risk of medical identity theft is real and can result in life-threatening situations, it may be advisable for hospitals and physicians to implement a simple Identity Theft Protection Program and comply with the Red Flags Rule, even if it later proves to be unnecessary.

The Red Flags Rule outlines the requirements for a Program. The covered entity should consider risk factors and possible sources of "red flags" that would indicate that identity theft might be occurring and should then identify the "red flags" it will monitor (note that Supplement A to the Red Flags Rule provides over two dozen specific examples of "red flags" that could be part of a Program). The categories of "red flags" include actual alerts or notifications from consumer reporting agencies, suspicious documents, suspicious personal information, unusual account activity, or direct notice from individual customers who are victims of identity theft. Once a "red flag" is raised, the Program should provide for appropriate responses, which may include monitoring, contacting the customer, changing passwords, closing accounts, and notifying law enforcement. The Program should be updated at least yearly, with annual reports to the board of directors (or a committee of the board).

Such a Program could be built upon existing policies and procedures of the entity. Physicians and hospitals are already subject to HIPAA and are required to have a great many privacy and security safeguards in place, along with written policies and procedures to ensure they remain current. Layering in an Identity Theft Prevention Program should not be difficult and could be complementary to already-existing HIPAA policies. Even though the Red Flags Rule may not ultimately be applicable to most health care providers, having such a program might still be good medicine.

Finally, it should be noted that there are no criminal sanctions for violating the Red Flags Rule, nor has the FTC indicated that it will closely monitor covered entities for compliance. Additionally, there are no specific civil penalties for violating the Red Flags Rule, although such a violation would be considered a violation of FACTA, which carries a penalty of $2,500 for each violation. In addition, there might be state laws implicated by failure to abide by the Red Flags Rule. More importantly, though, the Red Flags Rule will ultimately be considered the standard of care or industry standard for businesses who hold or use electronic information for customers; if a failure to follow the Red Flags Rule results in a breach of a patient's data or identity theft, a plaintiff's lawyer will likely allege a breach of duty to protect the information.

CLICK HERE to view the Red Flags Rule.

CLICK HERE to view the February 4 FTC letter.

CLICK HERE to view the AMA response of February 23.

If you have any questions, please contact Jeff Drummond 214.953.5781 or jdrummond@jw.com.

If you wish to be added to the e-Brief mailing list, please CLICK HERE to sign up. If you wish to be removed, please reply to this e-mail with REMOVE in the subject line and include your first and last name.