August 1 Deadline Approaching for Red Flag Rule Identity Theft Prevention Program

July 24, 2009

By August 1, all businesses, including health care providers that offer or maintain accounts covered under the FTC's Red Flag Rules, must have an Identity Theft Prevention Program in place that complies with the Red Flag Rules.

What it Means for Health Care Providers

A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of identity theft. An "account" includes a continuing relationship that a patient establishes with a health care provider to obtain a medical product or service that involves deferred payment. An account is covered under the Red Flag Rules if it permits multiple payments or is at risk for identity theft. Any health care provider, including a hospital or doctor's office that bills a patient for products or services after the patient leaves the facility, or offers a payment plan, must have an Identity Theft Prevention Program in place by August 1. This includes health care providers that balance bill patients for the fees and costs not covered under the patients' insurance.

The Identity Theft Prevention Program must incorporate reasonable policies and procedures to (1) identify Red Flags relevant to the account, (2) detect Red Flags, and (3) respond appropriately to any Red Flags that are detected. Once completed, the Identity Theft Prevention Program must be approved by a company's board of directors or an appropriate committee of the board of directors; be overseen by the board, a committee of the board, or an employee at least at the level of upper management; and be updated at least annually.

The FTC has provided a template Identity Theft Prevention Program for businesses, such as doctor's offices, that have personal relationships with their patients and a low risk of identity theft. Click here for more information. While this can be used as a starting point, each health care provider must assess the risk to its patients and its business from identity theft and customize its program in accordance with the nature, scope and complexity of its activities.

For a more detailed explanation of the Red Flag Rules, please see Frost Brown Todd's Client Update distributed March 24. For assistance with your Identity Theft Prevention Policy, please contact Billy Mabry, Gretchen Ackerman or any other attorney in Frost Brown Todd's Health Law Practice Group.