The new “Red Flag Rules” issued by the Federal Trade Commission (FTC) require certain types of healthcare providers to implement identity theft prevention programs by May 1, 2009. The recent buzz about the Red Flag Rules and how to identify suspicious “red flag” transactions has healthcare providers asking a lot of questions and getting few answers. Who is a creditor? Do the new rules apply to my clinic? What is an identity theft prevention program?

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA.
The Identity Theft Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a health care provider, this would mean, as an example, detecting situations in which a patient may be attempting to obtain medical services using another person’s identity and medical insurance policy. Since the FTC’s position on this issue has been firm, unless and until the AMA obtains a stay on enforcement of the rules, medical care providers should gear up for compliance. According to the FTC, for many providers of medical care, compliance may not be too burdensome since their programs need only be scaled to the level of risk of identity theft faced by their patients. So if the risk is low, the identity theft program can be streamlined commensurate with such risk. As examples, a health care provider could implement a program that includes, among other things:

Checking patients’ photo IDs when medical services are sought
Responding appropriately when notified by a consumer or law enforcement agency that the consumer’s identity has been misused
Isolating suspect medical records from the victim’s medical records
Suspending collection efforts against the medical identity theft victim relating to services provided to the unauthorized individual
(Posted from privacy law blog)