Identity theft is a serious crime that costs United States businesses billions of dollars every year and affects millions of American consumers. Identity thieves use people's personally identifying information to open new accounts and misuse existing accounts, creating havoc for individuals and businesses. In an effort to combat identity theft, the Federal Trade Commission (FTC), along with six other federal regulatory agencies, issued regulations in November 2007 that are commonly referred to as the "Red Flags" Rule.1 Although the Red Flags Rule is geared toward banks and other financial institutions, the Rule also applies to any "creditors"2 that utilize "covered accounts,"3 and require such entities to develop and implement written identity theft prevention programs.

Companies in many industries have accepted the label of "creditor" and the applicability of the Red Flags Rule to their operations, and have begun taking steps to implement programs to identify, detect, and respond to warning signs, or "red flags," that could indicate identity theft. However, two groups, physicians, represented primarily by the American Medical Association (AMA), and attorneys, represented primarily by the American Bar Association (ABA), oppose the FTC's inclusion of their professions4 in the meaning of "creditor" under the Red Flags Rule.5 Pressure from these groups, as well as other factors, has led to extensions of the enforcement deadline originally promulgated by the Rule.

A History of Postponement

The Red Flags Rule became effective on January 1, 2008. Originally, compliance was required by November 1, 2008. That deadline was then extended until May 1, 2009, largely because it became apparent to the FTC that physicians and other healthcare providers were unaware of the Rule. Following this first extension, the ABA requested an additional postponement so it could assess the implications of the Red Flags Rule for lawyers and law firms. On April 30, 2009, the FTC obliged this request by further delaying the enforcement of the Red Flags Rule until August 1, 2009. In June, the ABA publicly called upon the FTC and Congress to exempt lawyers from the Red Flags Rule. Just days before the anticipated August 1, 2009, deadline, the FTC announced that it would again extend the enforcement deadline, this time to November 1, 2009, but, rather than address the AMA and ABA's concerns, the agency asserted the additional extension merely would allow the FTC additional time to "assist small businesses and other entities . . . to educate them about compliance with the 'Red Flags' Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."6

The FTC continued to emphasize that the Rule itself is not changing and that its extensions simply were meant to enable businesses to gain a better understanding of the Rule and any obligations that they may have under it. However, on October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.7 The medicine, dental, and accounting professions, among others, have also been engaged in lobbying efforts aimed at exempting their professions from the "creditor" label and Red Flags Rule enforcement. Predictably, two days before the November 1, 2009 deadline, the FTC delayed enforcement of the Red Flags Rule again until June 1, 2010, citing Congressional request.8 Perhaps not surprisingly, with the passage of HR 3763 discussed in greater detail on page four of this article, the FTC again extended the June 1, 2010 deadline until December 31, 2010, citing a need for time as Congress considers legislation meant to clarify those entities covered by the Rule, while also seeking to "fix the unintended consequences of the Rule."

AMA Stance

Since the Red Flags Rule was issued, the AMA and a number of state medical societies have objected to the FTC's interpretation that physician practices are "creditors" either when they accept insurance and bill patients after services are provided or if they allow patients to set up payment plans after services have been provided. In addition, these groups have expressed their concerns about the overlap between the Red Flags Rule and other regulatory requirements already imposed on physicians, such as the Health Insurance Portability and Accountability Act (HIPAA),9 and the FTC's failure to comply with the Administrative Procedure Act, which requires the FTC to explain its regulatory proposals and give the public notice and a chance to comment.

As recently as August 2009, the AMA indicated that it "intends to continue to make the case to Congress and the agency that the FTC should republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program." In this same month, the AMA joined others in litigation described herein.

ABA Stance

When the FTC originally issued the Red Flags Rule, the legal community interpreted attorneys as exempt from the Rule's definition of "creditor." In April 2009, however, the ABA received word that the FTC intended to enforce the Red Flags Rule against lawyers. After requesting an extension to the May 1, 2009, compliance deadline, the ABA issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the Red Flags Rule, which stated, in part:

The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent. However, the Commission's application of the Rule to lawyers is unnecessary and not supported by law. Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.10

In support of this position, the ABA referenced federal case law suggesting that lawyers are not "creditors" under federal law and further asserted that forcing lawyers to comply would be costly and pointless. The ABA further argued, "Compliance with the Act would complicate client arrangements and require a major commitment of lawyers' time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible."11 A number of state bar associations also sent letters to the FTC and issued reports setting forth the legal arguments against application of the Red Flags Rule to attorneys.12

Although the FTC extended the deadline for compliance to November 1, 2009, following pressures from the ABA and state bar associations, it did so arguably under the stated purpose of wanting more time to educate creditors as to their obligations. The FTC's press release mentioned the delay's consistency with the House Appropriations Committee's recent request that the FTC defer enforcement in conjunction with "additional efforts to minimize the burdens of the Rule on healthcare providers and small businesses with a low risk of identity theft problems," but made no mention of the concerns posed by the AMA or the ABA.13 The FTC's apparent disregard for the bar associations' concerns finally led to a lawsuit described in greater herein.

Litigation: ABA, AMA, AOA, and Others

The ABA filed a complaint against the FTC in federal district court in Washington, D.C. on August 27, 2009.14

The complaint sought declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule. The complaint argued that lawyers are regulated at the state level, not by the federal government, and that the FTC has not been given the necessary authority by Congress to change this state of affairs. As noted above, on October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.15 After apparently taking note of the ABA win, a trade association for accountants, the American Institute of Certified Public Accountants (AICPA), filed a similar suit seeking the same relief on November 11, 2009.16

Similarly, in August of 2009, the AMA filed litigation, along with the American Osteopathic Association and the Medical Society of the District of Columbia.17 The stated objective of this litigation is to present the FTC's Rule as unlawful, claiming that it exceeds the powers given to it by Congress.

Legislative Update

On October 20, 2009, the US House of Representatives passed HR 3763, which would amend the Red Flags Rule.18 Among other provisions, the bill would exempt certain businesses, including healthcare, accounting, and legal practices, which employ less than 20 people, from being deemed "creditors" subject to the Red Flags Rule. The bill has been referred to the Senate and likely played some part in the FTC's additional delay of enforcement of the Red Flags Rule.

Where We Go From Here

Whether the Red Flags Rule's implementation date will be subject to further delay or whether further bills will be introduced or passed or talks will be held to discuss carving out doctors or lawyers is not yet known. What is clear, however, is that the Red Flags Rule is unlikely to be derailed completely. In the absence of litigation from the AMA and provider community, all healthcare providers who offer covered accounts, including physician practices, eventually may be subject to the obligations of the Red Flags Rule. In order to address this probability, the following guidance is offered to assist healthcare providers in their compliance efforts.

What Does the Red Flags Rule Require? Generally speaking, a business covered by the Red Flags Rule is required to identify "red flags," that is, patterns, practices, or specific activities that are often indicators of identity theft, and to develop a written program to detect and prevent identity theft and to mitigate the damage of its effects. Such a program can be incorporated into an existing compliance program alongside a provider's HIPAA privacy and security plan, although the requirements of the Red Flags Rule are different from those of the HIPAA privacy and security regulations.

Under the Red Flags Rule, a creditor is required to develop and implement an "Identity Theft Prevention Program," which is a program designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The Rule provides enough flexibility that a program can be tailored to various business arrangements and practice sizes. The Rule also requires that the program be updated periodically to address, among other things, changes in risks from identity theft.

How Can A Healthcare Provider Identify Red Flags? As part of an identity theft program, a creditor must document that it considered the red flag categories published in the FTC's Guidelines for developing an Identity Theft Prevention Program.19 These Guidelines provide that a program should include relevant red flags from the following categories:

  • Alerts, notifications, or other warnings received from consumer reporting agencies;
  • The presentation of suspicious documents;
  • The presentation of suspicious personal identifying information;
  • The unusual use of or other suspicious activity related to a covered account; and
  • Notices from customers, victims of identity theft, law enforcement, or others regarding possible identity theft in connection with covered accounts.

The Guidelines also contain specific examples of red flags from each of the above-listed categories.20 Those examples are primarily directed at financial institutions, but many are applicable to healthcare providers.

Additional examples of red flags for healthcare providers have been published by the World Privacy Forum, a non-profit public interest research group, and may be useful to consider as part of an effective program:

  • A complaint or question from a patient based upon the patient's receipt of:
    • a bill for another individual;
    • a bill for a product or service that patient denies receiving;
    • a bill from a healthcare provider that the patient never patronized; or
    • a notice of insurance benefits (or Explanation of Benefits) for health services never received.
  • Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient;
  • A complaint or question from a patient about the receipt of a collection notice from a bill collector;
  • A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached;
  • A complaint or question from a patient about information added to a credit report by a healthcare provider or insurer;
  • A dispute of a bill by a patient who claims to be the victim of any type of identity theft;
  • A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance; and
  • A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.21

How Does a Healthcare Provider Detect Red Flags? Having identified relevant red flags, the next step is to establish policies and procedures to detect these red flags. The FTC's Guidelines recommend obtaining identifying information about and verifying the identity of a person opening a covered account, as well as authenticating customers, monitoring transactions, and verifying the validity of address changes.

Red flags may be detected during the course of setting up a new patient file, reviewing medical records, or verifying insurance information. As the FTC has pointed out, some red flags, taken alone, may seem harmless, but when coupled with other events—such as a change of address coinciding with the use of an address associated with fraudulent accounts—can be an indication of identity theft.

How Does a Healthcare Provider Prevent and Mitigate Identity Theft? An Identity Theft Prevention Program must include policies and procedures that establish appropriate responses once red flags have been detected. A provider's responses should be proportionate to the risk posed by the red flag, and should take into consideration aggravating factors that may heighten the risk. Appropriate response may include contacting the patient, changing passwords or access to a patient's information, not attempting to collect on an account, notifying law enforcement, and determining that a response is not necessary in a particular situation. The program should also include policies and procedures for staff training and a means of effectively monitoring service provider arrangements.

What Steps Should a Healthcare Provider Take to Update the Program Periodically? The strategies and tactics of identity theft are always changing as identity thieves find new ways to mine personal information and avoid the efforts of identity theft prevention. Accordingly, an acceptable Identity Theft Prevention Program must include procedures whereby the program will be updated periodically in order to demonstrate that the provider is considering new threats and developments in the field. Healthcare providers should consider implementing an annual assessment as part of its overall compliance efforts. The Red Flags Rule requires that there be oversight and approval of the program by a board of directors or committee of the board, or, if there is no board, by a designated employee at the level of senior management. Such oversight should include assigning specific responsibility for the program's implementation, reviewing reports, and approving material changes to the program.

Why Is Compliance Important? As with all compliance programs, it is not enough to develop an Identity Theft Prevention Program and place it on a shelf or stick it in a file. The program must work. Keep in mind that, for now, whenever compliance is required, those who violate the Rule may be subject to civil monetary penalties in amounts up to $3,500 per violation. Physicians and their counsel should also bear in mind that the US Department of Health and Human Services Office of Inspector General has begun performing audits of healthcare providers and the government has signaled its intention to beef up enforcement related to HIPAA security.22 Although an administrative burden exists, the Red Flags Rule offers healthcare providers and their counsel an ideal opportunity to revisit and shore up their patient information security efforts, which are subject to ever-increasing government scrutiny.

Footnotes

1 Available at: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/more-about-red-flags.shtm .

2 The Rule identifies a creditor as any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. The FTC's examples of creditors often include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to considered creditors for purposes of the Red Flags Rule.

3 A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft—for example, small business or sole proprietorship accounts.

4 While physicians and attorneys have spearheaded the opposition to the inclusion of their professions in the meaning of "creditor," other professions, including, but not limited to, accountants, dentists, orthodontists and prosthodontists, have voiced opposition to the applicability of this law to their professions.

5 AMA opposition argument summary available at: http://www.ama-assn.org/ama/noindex/physician-resources/red-flags-rule.shtml ; ABA opposition argument summary available

at: http://www.abanet.org/poladv/priorities/redflagrule/2009jul_redflagfactsht.pdf.

6 Available at: http://www.ftc.gov/opa/2009/07/redflag.shtm .

7 Opinion available at: http://www.abanet.org/media/docs/ABA_v._FTC_Amended_Order.pdf .

8 FTC Press Release available at: http://www.ftc.gov/opa/2009/10/redflags.shtm .

9 Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.

10 Available at: http://www.abanet.org/abanet/media/statement/statement.cfm?releaseid=684 .

11 Id.

12 For a discussion of state bar opposition, see: http://www.law.com/jsp/article.jsp?id=1202431910679 .

13 Available at: http://www.ftc.gov/opa/2009/07/redflag.shtm .

14 Available at: http://www.abanet.org/media/nosearch/1_1_Complaint.pdf.

15 Supra, at 7.

16 AICPA's press release is available at: http://www.aicpa.org/download/news/2009/AICPA-Files-Lawsuit-Challenging-Application-of-FTCs-Red-Flags-Rule-to-CPAs.pdf ; the complaint may be accessed here: http://www.aicpa.org/download/news/2009/AICPA-Complaint.pdf .

17 Available at http://www.ama-assn.org/ama1/pub/upload/mm/395/red-flags-lawsuit.pdf .

18 The current version of HR 3763 is available at: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h3763rfs.txt.pdf .

19 Available at: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf .

20 Id.

21 Available at: http://www.worldprivacyforum.org/pdf/WPF_RedFlagReport_09242008fs.pdf .

22 See, e.g., http://oig.hhs.gov/oas/reports/region4/40705064.pdf .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.