Authored By: Patricia Monson Attorney View Biography

On November 9, 2007, the United States Federal Trade Commission (“FTC”) issued new regulations requiring financial institutions and creditors to develop and implement written identity theft prevention programs to formally address the risks of identity theft and to develop a mitigation plan. The new rules take effect November 1, 2008 and may include health care providers, including physicians, hospitals, clinics and nursing homes, under some circumstances. A health care provider comes under these rules if it:  1) meets the definition of “creditor” under the Fair Credit Reporting Act, or 2) uses Consumer Credit Reports in making credit decisions with respect to patients.

The Act defines “creditor” as:

Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

“Credit” is defined as the deferral of payment for goods or services. Health care providers extend credit to patients when they do not demand payment for medical goods or services at the time the goods or services are provided. (Accepting credit cards as a form of payment does not by itself make a health care provider a “creditor”). Where non-profit and government entities defer payment for goods or services, they are considered “creditors”.

If you are a creditor, you may have obligations under the Red Flag Rules if you offer or maintain “covered accounts”. A “covered account” is an account primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions. The rules also apply to accounts which involve a reasonably foreseeable risk to customers of identity theft. An “account” is defined by the rules as a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes. If you maintain such accounts, you are covered by the Red Flag Rules and must adopt an identity theft prevention program.

Health care providers may also be covered by the rules if they use a Consumer Report to make credit decisions with respect to patients. Under the Act, a request for a credit report for a consumer will include the address that the consumer provided. If the address differs substantially from the address in the credit bureau files, the bureau will notify the requestor of the discrepancy. That notice of address discrepancy will trigger obligations under the new rules.

The new regulations contain guidelines on the establishment of identity theft prevention programs. Requirements of a theft identity program include:  a) identification of relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft; b) detection of these red flags; c) response to those detected to prevent and mitigate; d) insuring that the program is updated periodically to reflect changes and risks.

For further information on whether your health care organization is covered under these new regulations or for assistance in establishing an identify theft prevention program, please contact Patricia Monson at pmonson@felhaber.com (612) 373-8455, or any member of the Felhaber Law Firm’s Health Law Practice Group available at www.felhaber.com.

Click here to read the Update Posted on October 27, 2008:
"Red Flags" Rule Update
FTC Grants Six Month Delay of Enforcement