The Federal Trade Commission’s (FTC’s) “red flags” rules for financial institutions and creditors to fight identity theft require compliance by most healthcare providers on Friday, May 1, 2009. HIPAA.com recommends that healthcare providers examine three documents, which we have available at HIPAA.com, to determine their responsibilities with respect to compliance with the red flag rules. These documents are:
» Identity Theft Red Flag Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, published in the Federal Register on November 9, 2007. The preamble of the Final Rule, which discusses the purpose, intent, and scope of coverage, appears on pages 63718-63733. Of particular importance are pages 63771-63774, which is the text of the FTC Final Rule.
» Fighting Fraud With the Red Flags Rule: A How-To Guide for Business, published by the FTC in March 2009.* The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft, published by the FTC’s Steven Toporoff, Attorney, FTC’s Division of Privacy and Identity Protection, in April 2009.
The following is an excerpt from Toporoff’s The ‘Red Flags’ Rule article, in the section entitled: Who Must Comply, that discusses conditions under which healthcare providers would be covered by the Rule:
“Every healthcare organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a healthcare provider, but rather on whether your activities fall within the law’s definition of two key terms: ‘creditor’ and ‘covered account.’
“Healthcare providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, healthcare providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Healthcare providers are also considered creditors if they help patients get credit from other sources—for example, if they distribute and process applications for credit accounts tailored to the healthcare industry.
“On the other hand, healthcare providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.
“The second key term—’covered account’—is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally ‘covered accounts’ under the law. If your organization or practice is a ‘creditor’ with ‘covered accounts,’ you must develop a written identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.”
Now, we refer you to the endnotes in Fighting Fraud With the Red Flags Rule business guide for definitions of identity theft and identifying information:
» Identity Theft. “[A] fraud committed or attempted using the identifying information of another person without authority.
» Identifying Information. “‘[A]ny name or number that may be used, alone or in conjunction with any other information, top identify a specific person, including any—
1. Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
2. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
3. Unique electronic identification umber, address, or routing code; or
4. Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).'”
If you are familiar with the HIPAA Administrative Simplification Privacy and Security Rules, you will note that these identifiers also are pertinent to the definition of protected health information in oral, written, or electronic formats.
Again, we refer you to the Fighting Fraud With the Red Flags Rule business guide for an outline of a Four Step Process for compliance with the red flags rule. These steps, outlined here and in more detail in the business guide, are:
1. Identify Relevant Red Flags. Identify the red flags of identity theft you’re likely to come across in your business.
2. Detect Red Flags. Set up procedures to detect those red flags in your day-to-day operations.
3. Prevent and mitigate identity theft. If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done.
4. Update your Program. The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff.
As a healthcare covered entity, you will note that these steps accord with the risk analysis that a covered entity is required to complete and update periodically as part of the HIPAA Security Rule. As such, for information on conducting a risk analysis, HIPAA.com recommends that you consult the excellent An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 (October 2008), which is available for download on HIPAA.com under “Security”.