|The Red Flags Rule and Your PracticeRecently, we’ve been hearing some questions about the Federal Trade Commission’s privacy and security requirements, called the “Red Flags Rule,” and how it may affect your practice. We have put together a summary of information about these new requirements with links to more information to help your practice learn about the issue and make informed decisions.
What is the Red Flags Rule?
Last year the Federal Trade Commission (FTC) introduced new privacy and security requirements for banks and creditors called the Red Flags Rule. The requirements are designed to help prevent identity theft. The Red Flags Rule states that financial institutions and creditors must develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
When will enforcement begin?
The Red Flags Rule was first announced in January of 2008, and required that programs be in place by November 2008. A six month delay has been enacted, with the compliance date now set to May 1, 2009. Financial institutions and creditors are required to have these programs established and they must provide for the identification, detection, and response to patterns, practices, or specific activities- known as “red flags”-that could indicate identity theft.
Who must comply with the Red Flags Rule?
The Red Flags Rule pertains to financial institutions and creditors with “covered accounts.” The term creditor under the rules is defined as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.”
The FTC has said that accepting credit cards as a form of payment does not in and of itself make an entity a creditor, but where an entity defers payment for goods or services, they are then considered to be creditors.
A “covered account” is defined by the FTC is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft - for example, small business or sole proprietorship accounts.
So, are physicians considered “creditors”?
There have been a number of conflicting points of view as to whether or not a medical office is considered a creditor. The MGMA has joined the AAP and other medical organizations in responding to the FTC about this rule, saying that it does not seem appropriate to consider a medical office a “creditor.”
To our knowledge, the FTC has not yet responded to the MGMA’s position on this issue. What we’re seeing right now is articles appearing in various journals which are speculating as to what might happen.
What action, if any, should pediatricians take?
We encourage you to learn about the Red Flags Rule and make an informed decision for your practice. We have heard of several instances where customers are being approached by vendors selling services to address these rules. In some cases, the sales tactics are high-pressure and the solutions costly. We want pediatricians to be aware, before rushing out to purchase potentially costly services, that there is an active dispute as to whether the rule even applies to medical offices.
PCC agrees with the AAP and MGMA that it does not seem appropriate to consider a medical office a “creditor” and thus the Red Flags Rule should not apply to medical offices. We also agree that protecting against identity theft is very important. PCC has been in contact with health care lawyers and has read the Red Flags Rule, MGMA response, and other industry articles about this topic.
We believe identity theft concerns may be addressed by your existing HIPAA policies, which are designed to prevent the theft, sale, or distribution, of protected health care information. The information covered by the Red Flag Rules is a subset of the protected healthcare information.
However, this may be a good opportunity to review your office’s policies to make sure you are in compliance with all aspects of HIPAA–Privacy, Security, Transactions and Code Sets, and National Provider Identifier Standards. PCC can help you achieve compliance with our collection of sample policies and forms. You can also refer to our selection of helpful HIPAA resources to learn more about the standard requirements.