The Red Flags Rule and Your Practice

Recently, we've been hearing some questions about the Federal Trade Commission's privacy and security requirements, called the "Red Flags Rule," and how it may affect your practice. We have put together a summary of information about these new requirements with links to more information to help your practice learn about the issue and make informed decisions. Read the new update posted on March 9, 2009.

What is the Red Flags Rule?

Last year the Federal Trade Commission (FTC) introduced new privacy and security requirements for banks and creditors called the Red Flags Rules. The requirements are designed to help prevent identity theft. The Red Flags Rule states that financial institutions and creditors must develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.

When will enforcement begin?

The Red Flags Rule was first announced in January of 2008, and required that programs be in place by November 2008. A six month delay has been enacted, with the compliance date now set to August 1, 2009 November 1, 2009. Update:  At the end of June, the FTC announced enforcement of the rule will again be postponed until November 1, 2009. Financial institutions and creditors are required to have these programs established and they must provide for the identification, detection, and response to patterns, practices, or specific activities–known as "red flags"–that could indicate identity theft.

Who must comply with the Red Flags Rule?

The Red Flags Rule pertains to financial institutions and creditors with "covered accounts." The term creditor under the rules is defined as "any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit."

The FTC has said that accepting credit cards as a form of payment does not in and of itself make an entity a creditor, but where an entity defers payment for goods or services, they are then considered to be creditors.

A "covered account" is defined by the FTC is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft - for example, small business or sole proprietorship accounts.

So, are physicians considered "creditors"?

There have been a number of conflicting points of view as to whether or not a medical office is considered a creditor. The MGMA has joined the AAP and other medical organizations in responding to the FTC about this rule, saying that it does not seem appropriate to consider a medical office a "creditor." To our knowledge, the FTC has not yet responded to the MGMA's position on this issue. What we're seeing right now is articles appearing in various journals which are speculating as to what might happen.

What action, if any, should pediatricians take?

We encourage you to learn about the Red Flags Rule and make an informed decision for your practice. We have heard of several instances where customers are being approached by vendors selling services to address these rules. In some cases, the sales tactics are high-pressure and the solutions costly. We want pediatricians to be aware, before rushing out to purchase potentially costly services, that there is an active dispute as to whether the rule even applies to medical offices.

PCC agrees with the AAP and MGMA that it does not seem appropriate to consider a medical office a "creditor" and thus the Red Flags Rule should not apply to medical offices. We also agree that protecting against identity theft is very important. PCC has been in contact with health care lawyers and has read the Red Flags Rule, MGMA response, and other industry articles about this topic.

We believe identity theft concerns may be addressed by your existing HIPAA policies, which are designed to prevent the theft, sale, or distribution, of protected health care information. The information covered by the Red Flag Rules is a subset of the protected healthcare information.

However, this may be a good opportunity to review your office's policies to make sure you are in compliance with all aspects of HIPAA--Privacy, Security, Transactions and Code Sets, and National Provider Identifier Standards. PCC can help you achieve compliance with our collection of sample policies and forms. You can also refer to our selection of helpful HIPAA resources to learn more about the standard requirements.

UPDATE:

It has come to our attention that the FTC has responded to arguments made by the AMA and MGMA's claim that medical practices are not "creditors" and so should not be subject to the upcoming enforcement of the Red Flags Rule. The FTC has responded that many medical practices may be considered creditors with covered accounts and so will need to comply with Red Flags Rule as of November 1, 2009.

A health care provider is a creditor, as stated by the FTC, if they bill consumers after their services are completed or accept insurance and the consumer ultimately is responsible for the medical fees. Simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If your practice is a creditor under these terms, the next step is to decide if you have "covered accounts." According to the FTC, there are two types of covered accounts:

One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. This includes continuing relationships with consumers for the provision of medical services. The other is one for which there is a foreseeable risk of identity theft. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.

If you determine your practice is a creditor but does not have covered accounts, you do not need a program in place to address the Red Flags Rule. If you determine your medical practice is considered a creditor and does have covered accounts as defined by the FTC, your practice will need to take steps to be in compliance with the rule prior to November 1, 2009. The rule requires that your practice have a written program in place to identify and address warning signs that could indicate identity theft.

If your office already adheres to the HIPAA security rules that aim to protect the privacy of patients and their records, it is our belief that most pediatric practice will not need to change their office policies or procedures much or at all in order to comply with the Red Flags Rule.

For more information about developing or administering your program, see this page on the FTC's website, or email RedFlags@ftc.gov with your questions about compliance.

Web Resources:
http://www.ftc.gov/opa/2007/10/redflag.shtm
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
http://www.mgma.com/policy/default.aspx?id=22230