Red Flag Rules Finally Implemented, Enforcement to Begin Nov. 1, 2009

On November 1st, 2009, the Federal Trade Commission’s (FTC) “Red Flags Rule,” aimed at combating identity theft, will begin to be enforced.  These rules will require businesses, including many health care providers, to develop and enforce a written policy on identifying the warning signs (or “red flags”) of identity theft, including medical identity theft.  To be regulated under these rules, health care providers must be “creditors” that deal with “covered accounts”.1Creditors” under the rule means “any person who regularly extends, renews, or continues credit; [or] any person who regularly arranges for the extension, renewal, or continuation of credit…” and a “covered account” is defined as one “primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.”2 The FTC has determined that physicians are included as creditors, and that hospitals must be looked at on a case by case basis.  Health care organizations that require pre-payment or payment at the time of service, or those that receive full payments from a program where patients have no responsibility for fees or the remaining cost of care such as Medicaid would not be covered by these rules because of their reduced exposure to identity theft risk.3

Almost all health care practitioners will be affected by this legislation.  The final red flag rules were published in November of 2007 under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), and although the rules technically came into effect on January 1st, 2008, covered entities, through a series of extensions due to industry confusion over who was covered, have been given until November 1st, 2009 to comply.

The American Medical Association (AMA) has petitioned to the FTC to suspend the application of the new Red Flag Rules to physicians and publish a new rule, dealing only with the subjugation of physicians to the Red Flags Rule, thereby affording physician stakeholders the opportunity to review and comment on the implications of such regulatory compliance. The AMA has stated that, in its current state, the Red Flag Rules are not compliant with the Administrative Procedures Act, which required that entities be made aware of regulations that affect them and to allow such entities the opportunity to comment.4  The AMA has also expressed concern that physicians forced to comply with the rules would face an “unfunded, costly, burdensome mandate” that duplicates existing requirements under the Health Insurance Portability and Accountability Act (HIPAA).

According to the Red Flags Rule, the required written policies should lay out how a physician practice will (1) identify, (2) detect and (3) respond to “red flags”.5 A “red flag” is defined as “a pattern, practice, or specific activity that indicates the possible risk of identity theft.6 The procedures enacted to ensure compliance with red flag rules should be laid out specifically.  Policies should be approved by any governing board and all employees training in the policies procedures before November 1, 2009 and should be reviewed annually.7 Twenty-six examples of red flags are provided in the new regulations. They include suspicious personal identifying information such as 1) application information which is the same as that provided on a fraudulent application; 2) a given address is fictitious, a mail drop, or a prison, or a phone number which is invalid or associated with a pager or answering service; 3) a Social Security number which is the same as that submitted by other patients; and 4) situations in which personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. Suspicious activity also is a red flag, for example, when medical services needed are not consistent with past medical history (i.e. a patient who has had an appendectomy comes into the emergency room for appendicitis).8

For health care providers covered by the red flag rules some or all of their red flag responsibilities already may be satisfied by HIPAA privacy and security rule policies and procedures. The written policies required by the Red Flag Rules are flexible as to what a satisfactory written “plan” is, and the rules allow creditors to incorporate existing processes into the identify theft program, meaning existing HIPAA policies can satisfy applicable requirements. This may ease the process of becoming compliant with new Red Flag Rules for health care providers.9 While HIPAA privacy rules cover patient medical records, the red flag rules extend into sensitive information such as credit card numbers, tax identification numbers, social security numbers, business identification numbers and employer identification numbers, insurance claim information, and background checks for employees and service providers. Health care providers whose policies are not red flag compliant may face a penalty of up to $2,500 per knowing violation. 10


“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

“Equal Credit Opportunity Act” 15 USCS 1691(a); “Identity Theft Rules” 16 CFR 681.2(5).

“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

“Federal Trade Commission final rule on Identity Theft Red Flags; 16 CFR Part 681; Application of the Red Flags Rule to Physicians” Letter to Jon Leibowitz (Chairman of the U.S. Federal Trade Commission), March 9, 2009.

“Red Flag Regulations and Guidelines” 72 Fed. Reg. 63719.

“The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft” By Steven Toporoff, Federal Trade Commission, May 13, 2009.

“AMA Identity Theft Prevention and Detection and Red Flag Rule Compliance: Sample Policy” American Medical Association, 2009.

“Hospitals Should Analyze Credit Policies to Determine Coverage by Red Flag Rule,” Bureau of National Affairs, Health Law Reporter, Sept. 25, 2008, 17 HLR 1259.

“Hospitals Should Analyze Credit Policies To Determine Coverage by Red Flag Rule” Health Law Reporter, Sept. 9, 2008.

“Protect your patients, protect your practice: What you need to know about the Red Flags Rule” American Medical Association, 2009.

Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner