The Red Flag Rules and Health Care Providers

As the “Red Flag Rules” enforcement date of May 1, 2009 quickly-approaches, health care providers need to get prepared. The Red Flag Rules require financial institutions and “creditors” to develop and implement identity theft prevention programs that provide for identification, detection, and response to patterns, practices or specific activities (known as red flags) that could indicate identity theft. Although enforcement was initially slated for November 2008, the Federal Trade Commission suspended enforcement until May 1, 2009 to give creditors, which may include many health care providers, additional time to develop and implement their identity theft programs.

Many health care providers including physicians and hospitals were surprised to learn that they could be subject to the Red Flag Rules. The FTC regulation defines a creditor as an entity that regularly extends, renews, continues credit or arranges for the extension of credit. The FTC would include a health care provider in this definition if the provider does not regularly demand payment in full for services at the time of service, which according to the FTC would be considered extending credit. If the provider is a creditor, the next step is to determine whether the provider maintains covered accounts of its patients. This would include consumer accounts designed to accept multiple payments and other accounts that would have a reasonably foreseeable risk of identity theft. In summary, it appears that the FTC’s position is that health care providers are subject to the Red Flag Rules if they extend credit to a consumer/patient by establishing an account that permits multiple payments (e.g., a payment plan). You can learn more about the Rules by visiting the Federal Trade Commission website at

According to the regulations, a health care provider that extends payment plans to patients must establish an Identity Theft Prevention Program (“the Program”), which must be appropriate to the size and complexity of the organization and nature and scope of its activities. In summary, the Program must include “reasonable” policies and procedures to:
(a) Identify relevant Red Flags;
(b) Detect Red Flags; and
(c) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

From an administrative standpoint, a provider must obtain approval of the initial policies and procedures from its board of directors or other appropriate committee of the board. Moreover, it must involve the board (or committee of the board) or another member of senior management in the oversight of the Program and train appropriate staff. In developing policies and procedures, each covered practice is required to consider applicable guidelines set forth in Appendix A of the FTC portion of the regulations.

Health care providers subject to the regulations are also required to take steps to oversee that their service providers conduct business in accordance with procedures also designed to mitigate the risk of identity theft.

For more information, please call Abby Pendleton, Esq. or Jessica L. Gustafson, Esq., Adrienne Dresevic, Esq. or Carey F. Kalmowitz, Esq. at (248) 996-8510, visit The HLP website’s Compliance and HIPAA page, or visit The HLP website.

Contact Information