Red Flag Rules Enforcement Pushed Back Again

Red Flag Rules
By Brant Crouch and Jason Lavender

We've all heard a horror story about identity theft - or perhaps you have been a victim yourself. But did you know that you (individually) and your hospital could be found guilty of stealing someone else's identity without even knowing that you did it? You read correctly. Any institution or individual who HANDLES personal non-public information is at risk of breaking new Federal and State Identity Theft Legislation. Non-compliance carries strong consequences such as fines, criminal and civil litigation and up to 10 years in prison.

This article focuses on one particular area known as the Red Flag Regulations. Enforcement has been delayed until May 1, 2009. In late 2007, the Federal Trade Commission ("FTC") issued sweeping regulations aimed at deterring, detecting and preventing identity theft. Under these rules, known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. and Final Rule ("Red Flag Regulations") financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft. For more information go to http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.

Most health care providers fall under the regulation due to its definition of Creditor. It applies to personal accounts that are paid after the service is rendered or if the service is intended to be paid in installments. Most health care accounts or charges are not paid in advance of service. However, even if a provider generally provides care on a pre-paid basis, accepting patient payments plus insurance payments amounts to a multiple payment account would make the provider subject to the Red Flag regulations. It's important to note that the American Medical Association (AMA) and several other healthcare associations are making efforts to get the FTC to remove health care providers from the definition of Creditor. However, it appears that the FTC will continue to broaden the scope of who will need to comply versus narrowing it. In a February 4, 2009 response to the AMA, the FTC specifically addressed this issue by reinforcing that providers will not be excluded and cites several reasons why. To obtain a copy of this letter or more information you may email the authors of this article.

So now what can health care providers do to get in compliance as quick as possible and most cost effectively? Much of what needs to be done to comply can be done internally using your own staff. Many compliance plan templates are available for free and some at a nominal cost. However, the multiple steps required to comply fully with the regulation involve employee training for ALL staff, third party vendor notification, and possibly more heavy lifting. One option is to utilize an outside resource to assist in providing the employee training. TPHAC has a resource available to all members that provides these services at no cost.

Many medical facilities around the country have taken pro-active measures to ensure that they protect and educate their own staff and the public they serve by enforcing a solid privacy policy as one way to minimize internal risks. One CEO said, "We take pride in the fact that we are taking the reasonable steps necessary to protect our staff, patients and private records. Our employees have found significant value in the Identity Theft awareness training and related employee benefits we now provide."

One of the leading publications for business legal issues, Business & Legal Reports, writes:

"One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance."

John Gardner, a former member of the South Carolina House of representatives and 23-year veteran attorney explains that, "The government says that an institution must have four things: a written privacy policy, someone to oversee that policy, training for your employees on the true problem of identity theft, and a mitigation plan in place."

Many health care providers either don't know about these laws or falsely believe that they are exempt from them. Some state governments like Texas have taken the aggressive approach of sending investigators out to businesses to look for violations.

"Identity theft is one of the fastest growing crimes in the United States," Attorney General Greg Abbott said. "Texans expect their personal information to be protected. The Office of the Attorney General will take all necessary steps to ensure that consumers are protected from identity thieves." And they have; making examples of many companies from large ones like Radio Shack and EZ Corp, to smaller businesses like modeling agencies and beauty colleges.

While there's no doubt that health care providers simply do not need any more government compliance headaches, it's clear that when it comes to identity theft there will be no letting up. The AMA will continue to contest this issue with the FTC. In the meantime, it is important to take immediate steps regarding compliance and providing identity theft protection to your patients and employees might be the best way to address these challenges.

Brant Couch, CPA and Vice President with HealthSure, Inc. is located in Austin,Texas. He can be reached at 512-292-3315 or brantc@healthsure.com.

Jason Lavender, Managing Partner & Certified Identity Theft Risk Management Specialist with ID Theft Solutions of America, is located in Austin, Texas. He can be reached at 512-514-6598 or jlavender@idtsoa.com.