Enforcement of the “Red Flag Rules” Begins August 1, 2009 -

Are You Prepared?


From Doctor's Life June 2009

By Erin Houck-Toll

In November 2007, the Federal Trade Commission (“FTC”) issued final rules requiring certain persons to develop and implement written identity theft prevention programs. Under the rules, “red flags” are patterns, practices, or specific activities that indicate the possible existence of identity theft. These rules, commonly referred to as the “Red Flag Rules”, may reach further than it appears at first glance - applying not just to banks and credit card companies, but to health care providers as well. If a health care provider is subject to the Red Flag Rules, it must be in compliance with that rule prior to August 1, 2009.

What is identity theft? Identity theft is a fraud committed or attempted using the identifying information of another person without authority. Identifying information is any name or number that may be used to identify a specific person, and includes name, social security number, and date of birth, as well as biometric data, such as fingerprints, retina or iris images, and other unique physical representations.

Who must comply? The Red Flag Rules apply to “financial institutions” and “creditors” who offer or maintain one or more “covered accounts.” For these purposes, a “creditor” is defined as “any person who regularly extends, renews, or continues credit.” The definition of “credit” includes the right to purchase property or services and defer payment for such property or services. A “covered account” is an account offered or maintained primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft. An “account” means a continuing relationship established by a person to obtain a product or service for personal, family, household, or business purposes, and includes an extension of credit, such as the purchase of property or services involving a deferred payment.

It was unclear, from the face of the regulations, whether a health care provider who provides health care services and later bills for such services [whether immediately billed to the patient or billed to the patient after the insurer denies all or a part of the claim], or if the provider accepts payment over time, would be a creditor for purposes of the Red Flag Rules. The FTC has, however, informally confirmed it believes health care providers who provide services and then bill for them would be considered creditors subject to the Red Flag Rules. Patient records should be considered covered accounts, as they are maintained for personal or family purposes and may, depending on the account, permit multiple payments or transactions.

What is required? If a health care provider is subject to the Red Flag Rules, the health care provider must develop and implement a written “Identity Theft Prevention Program” designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Red Flag Rules provide guidance for matters which must be considered and included in the program, and directions on adoption and oversight of the program.

Matters to be addressed in the program include: identifying and detecting relevant “red flags” for the covered accounts, and responding appropriately to “red flags” when detected.

What does this mean for you? Health care providers maintain information which could be subject to identity theft, including patient names, addresses, dates of birth, social security numbers, and even biometric data. A common example of identity theft may be the use of a person’s information to open a new credit account or to make charges on that person’s existing account, all without the knowledge or consent of the victim. In the health care field, it might also include the unauthorized use of insurance for services provided to someone other than the true insured.

In this context, a “red flag” may occur when a patient presents a photo identification that does not match the patient or giving different identifying information (such as a social security number) that does not match prior visits. The adopted program should set forth examples of these “red flags” and the procedure that the health care provider and its staff should take in addressing the “red flag.” Such procedure might include requests for additional information from the patient or contacting law enforcement. A failure to comply with the requirements of the Red Flag Rule may result in civil monetary penalties and administrative enforcement actions.

Conclusion. Health care providers who bill for their services after providing services may be required to adopt a program to detect, prevent, and mitigate identity theft in connection with patient medical and billing records. The program must be adopted and implemented in accordance with the Red Flag Rules prior to the August 1, 2009 enforcement date.


The contents of this article do not constitute legal advice, nor do they create an attorney-client relationship. Should you have any legal questions you should consult with your attorney.

The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you free written information about our qualifications and experience.

About the Author

*Erin Houck-Toll is a business and tax attorney with the law firm of Henderson, Franklin, Starnes & Holt, P.A. She concentrates her practice in the areas of federal and state taxation, as well as many aspects of business planning including health care law and mergers acquisitions.