Red Flag Rule: Executive Summary

Report home | Read the report (PDF) | Next section

Under recently issued regulations, the Federal Trade Commission requires financial institutions and creditors to develop and implement written identity theft prevention programs. The broad purpose of these Red Flag and Address Discrepancy Rules [1] is to require financial institutions and creditors to formally address the risks of identity theft and develop a mitigation plan. Health care providers can be creditors and, therefore, subject to the new rules, which were originally were scheduled to take effect on November 1, 2008. The FTC suspended enforcement until November 1, 2009. [2]

This document focuses in particular on the application of the Red Flag rules to health care providers. It provides suggestions from the World Privacy Forum about how to implement the rules in a health care context, and also discusses best practices. Nothing here constitutes legal advice.

A “Red Flag” is defined as a pattern, practice, or specific activity that could indicate identity theft. A “Notice of an Address Discrepancy” is a notice that a credit bureau sends to a person or business that ordered a credit report about a consumer. The Notice of Address Discrepancy triggers obligation for that person or business under the new regulations. Federal law says generally that entities offering credit to consumers need to look for and pay attention to evidence of identity theft that arises from their dealings with consumers. The new Red Flag and Address Discrepancy Rules define these obligations with specificity.

Health care providers – whether they are for-profit, non-profit, or governmental entities – may have obligations under the rules. Medical identity theft – particularly involving insider access to data – is a real concern in the health care sector, and is included expressly in the Red Flag Rules Guidelines. [3] The possibility of medical identity theft gives rise to a duty to monitor for the potential that patients may be victims. The prudent provider will also oversee employee and vendor access to patient data.

The Red Flag and Address Discrepancy rules are designed to protect consumers. The World Privacy Forum prepared this document to encourage better understanding and application of these rules. Consumers will only realize the protections if health care providers apply the rules robustly and consistently. Previous work by the World Privacy Forum suggests that providers need help in addressing identity theft issues. Providers need to understand that they too are victims of medical identity theft, along with patients and insurers. It is in everyone’s interest to take actions that will limit, prevent, or mitigate medical identity theft.

Red Flags that the World Privacy Forum recommends for health care providers are:

• A complaint or question from a patient based on the patient’s receipt of:

o a bill for another individual

o a bill for a product or service that the patient denies receiving

o a bill from a health care provider that the patient never patronized, or

o a notice of insurance benefits (or Explanation of Benefits ) for health services never received.

• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.

• A complaint or question from a patient about the receipt of a collection notice from a bill collector.

• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.

• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.

• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.

• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

Note: There is a good deal of misunderstanding regarding the role and utility of ID checks in a Red Flag and medical identity theft context. See the Mitigation section in this document for a discussion of this issue.

All of these Red Flags take on greater importance if the patient has also filed a police report regarding identity theft. Health care providers should include questions to determine the presence of a police report in their Red Flag identity theft plans. Another factor that increases the importance of a Red Flag is if the health care provider or other relevant entity in the health care community has had a recent data breach that included the patient’s data.

_____________________________

Endnotes

[1] See <http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf>.

[2] See <http://ftc.gov/opa/2009/07/redflag.shtm>.

[3] Federal Trade Commission et al., Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. 63718, 63727 (Nov. 9, 2007) “For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and, therefore, must identify Red Flags that reflect this risk.” Note that the Red Flag Rule and the Address Discrepancy Rule were published together, but are separate rulemakings, <http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf>.

Roadmap: Red Flag and Address Discrepancy Requirements – Suggestions for Health Care Providers: Executive Summary

Report home | Read the report (PDF) | Next section

Posted September 25, 2009 in Federal Trade Commission (FTC), Health Privacy, Red Flag Rule, Uncategorized

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.