Is Your Organization Subject to the Red Flag Rules?April 20, 2009
Hospitals, physician groups and other healthcare providers may be surprised to learn that they could be subject to the Federal Trade Commission's so-called "Red Flag Rules" that become effective May 1, 2009. The Rules are intended to combat identity theft and require implementation of a written program to detect, prevent, and mitigate identity thefts in connection with new and existing accounts.
The Rules apply to any organization that meet the Rules' definition of "creditor" and which offer or maintain "covered accounts."
A "creditor" includes any entity that regularly accepts deferred payments for its goods or services. For example, a hospital or physician group that regularly offers payment plans or allows patients to pay in installment payments would be a "creditor" within the meaning of the Rules.
For the Rules to apply, a "creditor" must also maintain "covered accounts." The Rules define a covered account as an account primarily for personal, family or household purposes and involving a "continuing" relationship between a person and a creditor that includes multiple payments or transactions or in which there is a reasonably foreseeable risk of identity theft. For example, patient billing accounts could be "covered accounts" if a hospital or physician group permits multiple payments on these accounts. Patient medical records may be "covered accounts" because they may be vulnerable to medical identity thefts. Both billing accounts and medical records are likely to involve "continuing relationships" because patients seek medical care on a recurring basis.
If the Rules apply to an entity, the entity's Board of Directors must approve a written plan that includes reasonable policies and procedures to (1) identify "red flags," including relevant patterns, practices and/or activities that potentially suggest possible identity theft, (2) detect the "red flags" that have been incorporated into the program, (3) respond appropriately to "red flag" incidents that are detected in order to prevent and mitigate the effect of identity theft, and (4) ensure that the program is reviewed and updated periodically in order to adjust to changing and developing identity theft risks.
The Federal Trade Commission has not mandated any specific language, policies or procedures that must be included in an identity theft program. The expectation is that each covered entity's program will be appropriate to the entity's size and complexity, and the scope and nature of its activities.
If you have any questions regarding the application of the red flag rules to your organization or how to implement the policies and procedures required by them, please contact Charles G. Vogel (email@example.com or 414-287-9502) or another member of the Godfrey & Kahn Healthcare Team.
To view the complete Health Law Vantage Point, Click Here.