Published on: | by

The Red Flag Rules and Health Care Providers

As the “Red Flag Rules” enforcement date of May 1, 2009 quickly-approaches, health care providers need to get prepared. The Red Flag Rules require financial institutions and “creditors” to develop and implement identity theft prevention programs that provide for identification, detection, and response to patterns, practices or specific activities (known as red flags) that could indicate identity theft. Although enforcement was initially slated for November 2008, the Federal Trade Commission suspended enforcement until May 1, 2009 to give creditors, which may include many health care providers, additional time to develop and implement their identity theft programs.

Many health care providers including physicians and hospitals were surprised to learn that they could be subject to the Red Flag Rules. The FTC regulation defines a creditor as an entity that regularly extends, renews, continues credit or arranges for the extension of credit. The FTC would include a health care provider in this definition if the provider does not regularly demand payment in full for services at the time of service, which according to the FTC would be considered extending credit. If the provider is a creditor, the next step is to determine whether the provider maintains covered accounts of its patients. This would include consumer accounts designed to accept multiple payments and other accounts that would have a reasonably foreseeable risk of identity theft. In summary, it appears that the FTC’s position is that health care providers are subject to the Red Flag Rules if they extend credit to a consumer/patient by establishing an account that permits multiple payments (e.g., a payment plan). You can learn more about the Rules by visiting the Federal Trade Commission website at www.ftc.gov.

According to the regulations, a health care provider that extends payment plans to patients must establish an Identity Theft Prevention Program (“the Program”), which must be appropriate to the size and complexity of the organization and nature and scope of its activities. In summary, the Program must include “reasonable” policies and procedures to:
(a) Identify relevant Red Flags;
(b) Detect Red Flags; and
(c) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

From an administrative standpoint, a provider must obtain approval of the initial policies and procedures from its board of directors or other appropriate committee of the board. Moreover, it must involve the board (or committee of the board) or another member of senior management in the oversight of the Program and train appropriate staff. In developing policies and procedures, each covered practice is required to consider applicable guidelines set forth in Appendix A of the FTC portion of the regulations.

Health care providers subject to the regulations are also required to take steps to oversee that their service providers conduct business in accordance with procedures also designed to mitigate the risk of identity theft.

For more information, please call Abby Pendleton, Esq. or Jessica L. Gustafson, Esq., Adrienne Dresevic, Esq. or Carey F. Kalmowitz, Esq. at (248) 996-8510, visit The HLP website’s Compliance and HIPAA page, or visit The HLP website.

Contact Information
Detroit
32000 Northwestern Hwy #240
Farmington Hills, MI 48334
P (248) 996-8510 F (248) 996-8525

The Health Law Partners, P.C.

New York City
15 W 38th St 4th Floor #735
New York, NY 10018
P (212) 734-0128 F (917) 210-2952

The Dresevic, Iwrey, Kalmowitz & Pendleton Law Group A Division of The Health Law Partners, P.C.

This is an attorney advertisement.

We serve the following localities: Alpena County, Alpena, Bay County, Auburn, Bay City, Essexville, Pinconning, Berrien County, Benton Harbor, Berrien Springs, Buchanan, Coloma, Niles, St. Joseph, Stevensville, Watervliet, Calhoun County, Albion, Battle Creek, Marshall, Charlevoix County, Boyne City, Charlevoix, East Jordan, Cheboygan County, Cheboygan, Crawford County, Grayling, Eaton County, and Bellevue. [ View More ]

This is an attorney advertisement.

Branding by Zoyes Creative

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2024, The Health Law Partners, P.C.
JUSTIA Law Firm Blog Design