Printer-friendly format

Neil B. Krugman and Joshua D.W. Collins, Waller Lansden Dortch & Davis, LLP

Small medical and dental practices that have never encountered identity theft problems with their patients have until May 1, 2009 to comply with the Federal Trade Commission's (FTC's) new Red Flags Rule, if the practice meets the Rule's broad definition of a "creditor" and has even one "covered account."

A Red Flag is an occurrence that should alert the practice of a possible identity theft involving a patient – for example, a patient's personal information does not match his or her photo identification, or a patient's identification and insurance documents appear to be altered. There are no criminal penalties for failing to comply with the Red Flags Rule, but creditors that violate the Rule may be subject to civil monetary penalties of up to $2,500 per violation.

According to the FTC, you are a "creditor" if you are a healthcare provider and you bill patients after their services are completed; or you accept insurance, but the patient ultimately is responsible for payment. "Covered accounts" include any account used mostly for personal, family or household purposes that involves multiple payments or transactions. The FTC says that a continuing relationship between a healthcare provider and a consumer for the provision of medical services is a "covered account." In recent weeks, the FTC has affirmed the Rule's application to all healthcare practices – regardless of size – that meet the Rule's definition of "creditor" and have at least one "covered account," in spite of efforts by national provider associations to convince the FTC that small practices should be exempt.

Healthcare practices that are subject to the Red Flags Rule need to adopt a written "red flags program" by the compliance deadline that identifies the warning signs of identity theft, establishes policies and procedures to detect red flags in the practice's day-to-day operations and includes appropriate responses to prevent and mitigate identity theft. The program must be approved by the healthcare organization's board of directors... or a senior employee of the organization if it does not have a board... and must include training for the practice's staff.

There are two red flags that, if detected, require a specific response from the practice. First, if the practice obtains a consumer credit report that contains a discrepancy between the address provided by the patient and the address contained in the credit report, the practice must make a reasonable attempt to verify the correct address. If the practice determines that the verified address is different than the address on the credit report, it must report this to the credit agency. Second, if the practice receives notice of actual identity theft relating to one of its patient accounts, it must immediately cease collection efforts against the alleged victim of the identity theft.

The FTC has emphasized that the Red Flags Rule is designed to be flexible and tailored to the degree of identity theft risk faced by the particular provider – in many cases the risk may be minimal or non-existent, such that a simple and streamlined program would be sufficient – and has indicated that it is working on guidelines to address the sort of "low risk" environments into which many small practices fall. But for now, even a streamlined red flags program must include a written plan that addresses the elements required in the Rule, as well as training for staff.

Tags:

ftc, identity theft, Red Flag Rule, red flags rule

Login and voice your opinion!