Published with permission by the FTC. Written by Tiffany George and Pavneet Singh
The expression “red flag” signals “Danger: Be alert to problems ahead.” For millions of consumers every year, identity theft is more than a threat — it’s their reality. Businesses often bear the biggest part of the monetary damage from identity theft. But the economic, psychological, and emotional harm to victims can be devastating. And when the identity theft involves health information, the consequences can be particularly severe.
It’s everyone’s responsibility to do what they can to fight identity theft. Health care providers can be the first to spot the red flags that signal the risk of identity theft, including suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, insurance information, account numbers, and birth dates to open new accounts or get medical services.
Under the Red Flags Rule, which went into effect on January 1, 2008 *, certain businesses and organizations — including many doctor’s offices, hospitals, and other health care providers — are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.
Are you covered by the Red Flags Rule? If so, have you put into place the new procedures the Rule requires?
Who Must Comply
Although every business or organization with an ongoing relationship with consumers should keep an eye out for the possibility of identity theft, health care providers should pay particular attention to the requirements that the Red Flags Rule applies to “creditors.” To determine if your business or organization is covered by the Rule and required to develop a written identity theft Program, you’ll need to answer two questions:
- Is your business or organization either a “creditor” or “financial institution,” as those terms are defined in the Rule?
- If so, do you have “covered accounts”?
Although it’s unlikely health care providers would fall within the definition of a “financial institution,” many are “creditors” under the Rule. Your business or organization is a “creditor” if you regularly:
- extend, renew, or continue credit;
- arrange for someone else to extend, renew, or continue credit; or
- are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.
Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.
Health care providers are creditors if they bill consumers after their services are completed. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.
If you determine you’re a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. This includes continuing relationships with consumers for the provision of medical services.
The other is one for which there is a foreseeable risk of identity theft. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.
If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.
How To Comply
The Rule doesn’t tell you specifically what your red flags program must look like. Instead, it gives you flexibility to implement a program that best suits your business or organization, as long as it meets the Rule’s requirements.
Your starting point for developing a program is the Guidelines issued with the Red Flags Rule, available at
www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. (The Guidelines are on pages 63773-63774 of the document.) The Guidelines list the issues you must consider in developing and maintaining a program appropriate for your business or organization. You also should draw on your own experience and knowledge about identity theft risks in developing your program.
There are four basic steps to designing a program to comply with the Rule:
- Identify relevant red flags;
- Detect red flags;
- Prevent and mitigate identity theft; and
- Update your program periodically.
In addition, your program must spell out how it will be administered. The program should be appropriate to the size and complexity of your company or organization, as well as the nature of your operations.
Identify Relevant Red Flags
Under the Rule, creditors and financial institutions with covered accounts must develop a written program to identify the warning signs of identity theft.
The Guidelines describe the following categories of warning signs — red flags — that your program must identify and address:
- alerts, notifications, or warnings from a consumer reporting agency;
- suspicious documents;
- suspicious personally identifying information;
- suspicious activity relating to a covered account; or
- notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable. Because health care providers may be at risk for medical identity theft, you’ll need to identify the warning signs that reflect this risk.
Detect Red Flags
Once you’ve identified the red flags that are relevant to your organization or business, you must establish policies and procedures to detect them in your day-to-day operations.
For example, you may spot red flags when you verify a consumer’s identity, authenticate consumers, review medical records, or verify insurance information. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events, say, a change of address coupled with the use of an address associated with fraudulent accounts.
Prevent and Mitigate Identity Theft
Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring accounts, contacting the insurance provider, changing account numbers to prevent misuse, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events — such as a recent data breach, a phishing fraud that targeted your business or organization, or another suspicious activity — may raise the risk of identity theft and require specific preventive actions.
Update Your Program Periodically
Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.
Administering Your Program
No matter how good your program looks on paper, the true test is how it works. Your program must describe how it will be administered, including how you will get the approval of your management, maintain the program, and keep it current.
According to the Rule, your program must be approved by your Board of Directors or, if your business or organization doesn’t have a Board, by a senior employee. The Board or designated senior employee also must approve any material changes to the program. Your program should include staff training as appropriate, and provide a way for you to monitor the work of your service providers. The keys are to maintain oversight of the program, keep it relevant and current, and ensure that all necessary members of your staff — from the intake desk to the records room — are on board. A program that stays in a filing cabinet isn’t a good program.
Penalties for Noncompliance
Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. But there’s an even more important reason for compliance: It assures your consumers that you are doing your part to fight identity theft.
Have questions about how health care providers can comply with the Rule? Email RedFlags@ftc.gov.
* On October 22, 2008, the Federal Trade Commission issued an Enforcement Policy statement that delays enforcement of the Red Flags rule until May 1, 2009 (http://www.ftc.gov/opa/2008/10/redflags.shtm). This does not affect enforcement of the address discrepancy and credit card issuer rules. Nor does it affect compliance for entities not under the jurisdiction of the Commission.
Tiffany George and Pavneet Singh are attorneys in the Federal Trade Commission’s Division of Privacy and Identity Protection.
To contact www.IdentityTheft.info please email info@IdentityTheft.info