The Federal Trade Commission (FTC) announced on Oct. 22, 2008 that it has extended the deadline for compliance with the "red flags rules" from Nov. 1, 2008 to May 1, 2009 to give financial institutions and other creditors additional time to develop and implement written identity theft prevention programs. In extending the deadline, the FTC noted the confusion and uncertainty about coverage under the rule in certain industries and entities, including the healthcare industry. Depending on their billing practices, healthcare providers could potentially be required to comply with the red flags rules.

In late 2007, the FTC, in conjunction with other federal agencies, issued the so-called red flags rules requiring financial institutions and other creditors to develop and implement identity theft prevention programs. Such programs must be designed to identify, detect and respond to suspicious patterns, practices and activities that could indicate identity theft. For purposes of the red flags rules, a "creditor" is anyone who regularly extends, renews or continues credit. A red flag is a suspicious circumstance that should prompt the financial institution or creditor to be alert for possible identify theft. The FTC and the other federal agencies identified 26 red flags. Examples of red flags include lack of correlation between Social Security number range and date of birth, information on ID inconsistent with information provided by the person opening the account, and person opening account or customer unable to correctly answer challenge questions.

Potential Impact on Healthcare Providers

The rules reach beyond the typical financial institutions and creditors such as banks, credit card companies and finance companies and, depending on billing practices and other factors, may require compliance by healthcare providers. While it now appears to be clear that the rules apply to most institutional healthcare providers, given their billing practices, it is less clear whether or not the rule applies to non-institutional healthcare providers such as physicians, dentists or physical therapy providers.

Staff attorneys at the FTC have taken the position that physicians are "creditors" for purposes of the red flags rules unless they require full payment up front at the time that services are provided to a patient. Accordingly, a physician who bills patients after services are provided or allows installment payments could be considered a creditor and, therefore, required to develop and implement a written identity theft prevention program, in accordance with these rules.

According to a letter to the FTC dated Sept. 30, 2008 (available here), the American Medical Association (AMA) and other healthcare organizations strongly disagree with the conclusion that physicians are creditors and the application of the red flags rules to physicians. It is unknown, however, when or if the FTC will respond to the AMA letter or provide further clarification on the application of the rules to physician practices or other healthcare providers. Until the FTC provides further guidance, providers are well advised to assess their billing and collection practices and evaluate the applicability and implications of the red flags rules on their business.

Entities failing to comply with the red rlags rules could face enforcement actions by the FTC, which is authorized to seek up to $2,500 in penalties for each independent violation of the rule; enforcement actions by states, which are authorized to recover up to $1,000 for each violation (plus attorney's fees) on behalf of their residents; and civil suits by affected consumers for actual damages (plus attorney's fees).

At least for now, providers have a reprieve until May 1, 2009 from requirements to have an identity theft prevention program in place. Healthcare providers, however, should not delay considering the potential impact of the rules and would be well advised to develop and implement an appropriate identity theft prevention program if compliance is required.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.