Mid-Atlantic Health Law TOPICS
Who Me? The Red Flag Rules
On December 4, 2003, President Bush signed into law the Fair and Accurate Credit Transactions Act (FACT Act). On November 9, 2007, the Federal Trade Commission (FTC), along with federal banking regulators and the National Credit Union Administration, issued nearly identical regulations to implement certain provisions in the FACT Act regarding identity theft.
The FTC's final regulations include, among other things, duties imposed on creditors known as the Red Flag Identity Theft Rules. Compliance was required by November 1, 2008. However, on October 22, 2008, the FTC announced a delay in the enforcement of the Red Flag Identity Theft Rules (until May 1, 2009) to give those covered more time to comply.
Quite simply, the Red Flag Rules apply to every hospital and virtually every other health care provider, notwithstanding that Maryland health care providers already comply with the Health Insurance Portability and Accountability Act's Security Rule and the Maryland Confidentiality of Medical Records Act. Moreover, noncompliance with the Red Flag Rules could result in significant civil liability and/or administrative penalties.
A. Who's Covered?
The Red Flag Rules require financial institutions and "creditors" who offer or maintain one or more covered accounts to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.
A "creditor" is defined as any person who regularly extends, renews, or continues credit. Interestingly, the FTC's staff attorneys have interpreted this to include health care providers who either do not require payment at the time services are rendered, but rather allow patients to be billed at a later time, or who bill third party payors first, and allow the patients to pay amounts not covered at a later time. The American Medical Association challenged this interpretation in a letter to the FTC, but the FTC stood its ground.
B. Red Flag Program
The Red Flag Rules specify that a written Red Flag Program must be developed if a creditor maintains "covered accounts," which are accounts that represent a continuing relationship, and either are for personal, family, or household purpose and involve (or permit) multiple payments or transactions, or are for any purpose but pose a reasonable, foreseeable risk from identity theft.
The Program must be designed to detect so-called "red flags", and to respond appropriately to red flags. A "red flag" is a pattern, practice, or specific activity that indicates the possibility of identity theft.
In developing a written Red Flag Program, providers will not have to start from scratch. An approved Program outline is available.
C. Program Oversight
Overall responsibility for the oversight, development, implementation, and administration of a Red Flag Program lies with a provider's board of directors, an appropriate committee of the board, or senior management. Generally, oversight should include assigning specific responsibility for Program implementation, reviewing reports prepared by staff concerning compliance, approving material changes to the Program, training staff to implement the Program effectively, and implementing appropriate oversight of third party service providers that perform activities on behalf of providers in connection with covered accounts.
A violation of the FACT Act constitutes an unfair or deceptive act or practice. The FTC is authorized to impose a civil penalty of not more than $2,500 per knowing violation. However, if the FTC considers a noncompliant provider in violation of the law for each covered account that it maintains, then the provider could be hit with extraordinary fines.
Additionally, a provider may be subject to civil liability for actual damages sustained by a customer (e.g., a patient) as a result of the provider's willful or negligent failure to comply with the law. If that is not enough, the provider may also be subject to punitive damages, as well as costs and attorney's fees.
In light of these potentially severe penalties, adoption of, and compliance with, a Red Flag Program is something that all health care providers should take seriously.
March 24, 2009