Uncategorized

Red Flag Rule: Executive Summary

Under recently issued regulations, the Federal Trade Commission requires financial institutions and creditors to develop and implement written identity theft prevention programs. The broad purpose of these Red Flag and Address Discrepancy Rules [1] is to require financial institutions and creditors to formally address the risks of identity theft and develop a mitigation plan. Health care providers can be creditors and, therefore, subject to the new rules, which were originally were scheduled to take effect on November 1, 2008. The FTC suspended enforcement until November 1, 2009. [2]

Red Flag Rule: Background

The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e). Another FCRA amendment calls for additional joint regulations offering guidance regarding reasonable policies and procedures that a user of a consumer report (e.g., a credit grantor) should employ when the user receives a Notice of Address Discrepancy. 15 U.S.C. § 1681c(h).

Red Flag Rule: How the Red Flag Rule Affects Health Care Providers

The Red Flag Rule applies broadly to financial institutions, credit grantors, and some others, including some health care providers. A health care provider comes under the Red Flag rule if the provider: 1) meets the definition of creditor under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A health care provider comes under the Address Discrepancy Rule if they: 1) use consumer credit reports.

Red Flag Rule: What are the Obligations for a Health Care Provider Covered by the Red Flag Rule as a Creditor?

A health care provider that qualifies as a creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program. The purpose of the program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. A large hospital will need a more robust program than a two-doctor office.

Red Flag Rule: What are the Address Discrepancy Obligations for a Health Care Provider That Uses Credit Reports?

The Address Discrepancy rule requires a user of a consumer report (credit report) to develop and implement reasonable policies and procedures to enable the user to deal with an address discrepancy. These requirements are narrower than the Red Flag rule for creditors. However, applicability of the address discrepancy requirement may affect a broader class of health care provider (and health insurers) than the Red Flag rule.