May 2009

President's Message

On April 30, 2009, the Federal Trade Commission (FTC) agreed to delay enforcement of the new “Red Flag Rules” from May 1, 2009, to August 1, 2009, to give creditors, including health-care providers, more time to develop and implement written identity theft prevention programs. This article was published before the announcement.

Regulations jointly issued by the Federal Trade Commission (FTC) and five other federal financial and banking oversight agencies, require financial institutions and creditors that offer or maintain covered accounts to develop and implement a written Identity Theft Prevention Program (Program).  The Program must include policies and procedures to detect patterns, practices, or specific activities that indicate the possible existence of identity theft, otherwise known as Red Flags. 

Although the Red Flags Rule was issued a year ago, many health care providers (and other service providers) only recently realized that these regulations apply beyond the financial sector.  Most health care providers and institutions will not fit into the definition of a “financialinstitution” which is defined to include banks, credit unions, and certain other lenders.  However, the broad definition of “creditor” likely captures many health care providers.  The term creditor is defined to include any person who regularly extends, renews, or continues, or arranges for the extension, renewal, or continuation, of credit.  Credit means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment.

As typical health care billing practices include billing insurers before billing patients, setting up payments plans, and not collecting payment at the time of service, many health care providers will realize that they are creditors under this broad definition.  The Red Flags Rule specifically refers to banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications

companies.  Health care providers are not included on that list and medical identity theft is mentioned only one time in the fifty plus pages of regulations.  However, the regulations appear to include any entities that provide services or products which are not paid for in full at the time the product is provided or the service is performed. 

Even if a health care provider concludes that it is a creditor, the analysis is not complete until the provider determines whether or not it maintains covered accounts.  An account is a continuing relationship between a creditor and a person to obtain a product or service for personal, family, household or business purposes.  Accounts include extensions of credit (like purchasing property or services using a deferred payment) and deposit accounts.  A covered account is either an account that is designed to permit multiple payments or transactions (for example, mortgage loan, automobile loan, cell phone account, utility account), or any other account that presents a “reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.”  In health care, financial and billing accounts maintained by many health care providers permitting multiple payments will cause health care providers to be considered creditors maintaining covered accounts.

Creditors who offer or maintain covered accounts must develop and implement a written Program.  The Red Flags Rule provides flexibility and notes that the Program must be appropriate to the size of the creditor.  When implementing a Program, creditors are required to consider the guidelines attached as Appendix A to the final FTC regulations (Guidelines) and include in their Program those

NEXT PAGE