“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the ‘Red Flags’ Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.  Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance….

“The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

The issue regarding the delays in FTC enforcement relates to “scope of entities covered by the Rule,” as indicated in the FTC news release.  Congress is taking action[2]:

“House lawmakers in October [2009] passed H.R. 3763[3], which would exclude from the Red Flags guidelines meaning of ‘creditor’ any healthcare, accounting, or legal practice with 20 or fewer employees, as well as any other business which the FTC determines knows all its customers or clients individually; only performs services in or around the residences of its customers; or hasn’t experienced incidents of ID theft, and identity theft is rare for businesses of that type.  An identical bill, S.3416 was introduced in the Senate on May 25 [2010].”

A lawsuit was filed in federal court on May 21, 2010, to accomplish a similar objective of narrowing scope of entities covered by the Rule.  “[T]he American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit in federal court  challenging the decision to classify physicians as ‘creditors’ because they allow patients to defer payments.  The medical groups also said the implementation of the Red Flags Rule could threaten doctor-patient relationships and negatively affect patient care (Sorrel, American Medical News, 5/31).”[4]

Please visit the FTC Red Flags Rule Web site: http://www.ftc.gov/redflagsrule or the American Medical Association (AMA) Web site: http://www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml for additional information. (20100603)

[2] Melissa Klein Aguilar, “Another Delay for FTC Red Flags Enforcement,” in Compliance Week, June 1, 2010, which is available online at: http://www.complianceweek.com/blog/aguilar/2010/06/01/once-again-ftc-delays-red-flags-enforcement/.

[3] The House passed H.R. 3763 by a vote of 400-0.

[4] California HealthCare Foundation, “FTC Delays Enforcement of ‘Red Flags Rule’ Until End of 2010,” iHealthBeat, June 1, 2010, which is available online at: http://www.ihealthbeat.org/articles/2010/6/1/ftc-delays-enforcement-of-red-flags-rule-until-end-of-2010.aspx.

See this post for more information on how to prepare for today’s deadline.

See this post for more information on how to prepare for tomorrow’s deadline.

See this post for more information on how to prepare for Friday’s deadline.

See this post for more information on how to prepare for Friday’s deadline.

» Identity Theft Red Flag Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, published in the Federal Register on November 9, 2007. The preamble of the Final Rule, which discusses the purpose, intent, and scope of coverage, appears on pages 63718-63733. Of particular importance are pages 63771-63774, which is the text of the FTC Final Rule.

» Fighting Fraud With the Red Flags Rule: A How-To Guide for Business, published by the FTC in March 2009.* The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft, published by the FTC’s Steven Toporoff, Attorney, FTC’s Division of Privacy and Identity Protection, in April 2009.

The following is an excerpt from Toporoff’s The ‘Red Flags’ Rule article, in the section entitled: Who Must Comply, that discusses conditions under which healthcare providers would be covered by the Rule:

“Every healthcare organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a healthcare provider, but rather on whether your activities fall within the law’s definition of two key terms: ‘creditor’ and ‘covered account.’

“Healthcare providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, healthcare providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Healthcare providers are also considered creditors if they help patients get credit from other sources—for example, if they distribute and process applications for credit accounts tailored to the healthcare industry.

“On the other hand, healthcare providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

“The second key term—’covered account’—is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally ‘covered accounts’ under the law. If your organization or practice is a ‘creditor’ with ‘covered accounts,’ you must develop a written identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.”

Now, we refer you to the endnotes in Fighting Fraud With the Red Flags Rule business guide for definitions of identity theft and identifying information:

» Identity Theft. “[A] fraud committed or attempted using the identifying information of another person without authority.
» Identifying Information. “‘[A]ny name or number that may be used, alone or in conjunction with any other information, top identify a specific person, including any—

1. Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
2. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
3. Unique electronic identification umber, address, or routing code; or
4. Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).’”

If you are familiar with the HIPAA Administrative Simplification Privacy and Security Rules, you will note that these identifiers also are pertinent to the definition of protected health information in oral, written, or electronic formats.

Again, we refer you to the Fighting Fraud With the Red Flags Rule business guide for an outline of a Four Step Process for compliance with the red flags rule. These steps, outlined here and in more detail in the business guide, are:

1. Identify Relevant Red Flags. Identify the red flags of identity theft you’re likely to come across in your business.
2. Detect Red Flags. Set up procedures to detect those red flags in your day-to-day operations.
3. Prevent and mitigate identity theft. If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done.
4. Update your Program. The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff.

As a healthcare covered entity, you will note that these steps accord with the risk analysis that a covered entity is required to complete and update periodically as part of the HIPAA Security Rule. As such, for information on conducting a risk analysis, HIPAA.com recommends that you consult the excellent An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 (October 2008), which is available for download on HIPAA.com under “Security”.

• Download (Requires Acrobat Reader)