Hospitals and other medical care providers may be dangerously unaware that they have a looming deadline for compliance with complex new federal regulations. These "Red Flag" rules require the adoption and implementation of a broad identity theft prevention system by November 1, 2008.

Why Medical Care Providers?

The Red Flag rules were easy for medical care providers to overlook because they were adopted under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), a statute generally intended to extend and update the Fair Credit Reporting Act. Moreover, these rules were issued jointly by various federal agencies that regulate financial institutions, including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Trade Commission (FTC), and thus appear to be directed at banks, mortgage lenders, and other traditional creditors. But they are not so limited, because the Red Flag rules define "creditor" very broadly, and even health care providers may need to comply.

Under the Red Flag rules, a creditor is "any person or business who arranges for the extension, renewal, or continuation of credit" with a "covered account." An account is defined as a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property. A covered account is: (1) an account primarily for personal, family, and household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk to customers, or the safety and soundness of the creditor, from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Health care providers may satisfy these definitions in various ways. Most health care providers extend credit to at least some patients by offering them extended payment plans. Some may also extend credit to employees, and hospitals often extend credit to physicians through income guarantees and recruitment loans.

What Are the Red Flag Requirements?

The Red Flag rules require a creditor to develop and implement a written program that has reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The program must enable a health care provider to:

Periodically determine whether it offers or maintains a covered account

  • Identify relevant patterns, practices, and specific forms of activity that are Red Flags signaling possible identity theft
  • Detect when such Red Flags are occurring in the entity's business activities
  • Respond appropriately to any Red Flag that is detected to prevent and mitigate identity theft
  • Ensure the program is updated periodically to reflect changes in risks from identity theft

Identity theft means, "a fraud committed or attempted using the identifying information of another person without authority." Identifying information means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: Social Security Number; date of birth; official state- or government-issued driver's license or identification number; passport number; alien registration number; unique biometric data; unique electronic identification number, address, or routing code; or telecommunication identifying information or address device, and so forth. Thus, under the Red Flag regulations, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of identity theft.

Indicators of possible risk of identity theft include precursors to identity theft such as "phishing" (using enticing e-mail masquerading as legitimate communications to bait the consumer into revealing sensitive information), "vishing" (using voice communications and con-artist trickery to gain access to private personal and financial information), and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. It may involve the exhaustion of lifetime benefit limits, duplicate services, fraudulent reimbursement or insurance submissions, or discrepancies in information collected at the time of providing services. In order to properly define and implement their Red Flags program, health care organizations must learn lessons from others, keeping abreast of the identity theft environment and tapping sources such as literature and information from credit bureaus, financial institutions, other creditors, designers of fraud detection software, and their own prior experience.

A health care organization's board of directors (or other governing body) also must become involved in its Red Flags program. Each entity that is required to implement a program must: (1) obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors; and (2) involve the board of directors, an appropriate committee, or a designated employee at the level of senior management, in the oversight, development, implementation, and administration of the entity's program.

The potential responsibilities of health care providers under the Red Flag rules touch on other regulatory compliance issues that require careful consideration. Further, the regulations require many additional actions in time to meet the November 1, 2008 deadline. As burdensome as these new rules may seem, they do serve important business and compliance purposes, and carry potential sanctions for failure to comply.

We will be addressing some important additional regulatory compliance issues and action items in a subsequent Legal News Alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.