FTC Red Flag Regulations Require Health Care Providers to Adopt

By August 1, 2009, pursuant to the regulations promulgated by six federal agencies, including the Federal Trade Commission (“FTC”), health care providers that qualify as “creditors” with “covered accounts” must adopt a written identity theft prevention program. The regulations, entitled “Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003” (the “Red Flags Regulations”), also require users of consumer reports to adopt policies and procedures applicable when the user receives notification of an address discrepancy. The address discrepancy rules took effect on November 1, 2008.

The Red Flags Regulations Apply to Most Health Care Providers

Pursuant to the Red Flags Regulations, a business or organization is a “creditor” if the business or organization (a) extends, renews or continues credit, (b) arranges for someone else to extend, renew or continue credit, or (c) is the assignee of a creditor who is involved in the decision to extend, renew or continue credit. The term “credit” is broadly defined as an arrangement by which payment of debts for the purchase of property or services is deferred.

The Red Flag Regulations apply to two types of “covered accounts.” The first type is an account used mostly for personal, family or household purposes that involves multiple payments or transactions and includes continuing relationships with consumers for the provision of medical services. The second type of covered account is one for which there is a foreseeable risk of identity theft.

The FTC has taken the position that (1) health care providers are “creditors” if they bill consumers after services are completed and (2) health care providers that accept insurance are creditors if the consumer is ultimately responsible for the payment of medical fees. Accordingly, effective August 1, covered health care providers must be in compliance with the rules.

The Red Flags Regulations Require that Health Care Providers Immediately Adopt an Identity Theft Prevention Program

Compliance with the Red Flag Regulations requires that covered health care providers immediately take the following actions: 

 1. Prepare, adopt (by the appropriate governing body) and implement an identity theft prevention program (“Program”); 
 2. Prepare, adopt (by the appropriate governing body) and implement address discrepancy policies; and 
 3. Educate and train employees about the Program and related policies.

The FTC has provided a template for a written identity theft program, available at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm. While providers can use this template to assist with the preparation of policies, providers should conduct a thorough risk assessment and craft policies tailored specifically to the provider’s operations.

Benesch, Friedlander, Coplan & Aronoff LLP has developed written materials that can be customized for our clients and can help you with the process. Contact us today to discuss compliance with these mandates.

Jayne E. Juvan at (216) 363-4636 or jjuvan@beneschlaw.com

Beth Rosenbaum at (216) 363-4519 or brosenbaum@beneschlaw.com

Alan E. Schabes at (216) 363-4589 or aschabes@beneschlaw.com

Harry M. Brown at (216) 363-4606 or hbrown@beneschlaw.com

Janet K. Feldkamp at (614) 223-9328 or jfeldkamp@beneschlaw.com

Frank W. Carsonie at (614) 223-9361 or fcarsonie@beneschlaw.com

Marty J. Sweterlitsch at (614) 223-9367 or msweterlitsch@beneschlaw.com.