Founded in 1977, KIRSCHENBAUM & KIRSCHENBAUM, P.C., is one of Long Island's most prominent and well-respected mid-size general practice law firms. The firm continues its tradition of providing clients with legal advice and services of the highest quality and maintaining and fostering diversity in its practice. From representing a wide variety of large and small clients in many different industries, our attorneys have the hands-on experience and knowledge needed to handle almost any types of legal matters, whether litigious or transactional in nature.
picture
Drop Down Menu

 

Red Flag Rules: Requirements for Identity Theft Prevention Compliance

By: Jennifer Kirschenbaum, Esq.

In addition to your standard compliance plan that you hopefully have in place, new legislation requires that you address the possibility of identity theft in your office compliance plan. Effective November 1, 2008, the Federal Trade Commission’s “Red Flag Rules” requires that healthcare providers implement additional policies and procedures to prevent identity theft. The Red Flag Rules were implemented to prevent identity theft fraud attempted or committed using identifying information of another person without authority.

The Red Flag Rules are for any business that deals with identifying information. As healthcare providers must obtain identifying information for each patient they treat, including first and last names, Social Security numbers, insurance information, account numbers and birth dates, they are considered at the front lines of identity theft.

Recently, it is difficult to open a newspaper and not see an instance of identity theft in the healthcare world, whether the instance be a missing laptop of a hospital employee, to someone hacking into a physician’s database. Under the Red Flags Rule, many doctor’s offices, hospitals, and other health care providers are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule you should develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Healthcare Providers as Creditors

The Red Flag Rules applies to “creditors”, which is an entity that regularly:

  • extends, renews, or continues credit;

  • arranges for someone else to extend, renew, or continue credit; or

  • is the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. So, healthcare providers are creditors if they bill patients after their services are completed. Additionally, under the Red Flag Rules, healthcare providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. As such, under these definitions, “creditor” includes the majority of medical practices and should include all medical practices under the requirements for balance billing (see balance billing article on https://www.kirschenbaumesq.com/healthcarearticles.htm)

Once it is determined that you are a “creditor”, the next step is to determine whether you have “covered accounts”, which under the Red Flag Rules includes accounts used for the continuing relationships with consumers for the provision of medical services or accounts where there is a foreseeable risk of identity theft; both definitions clearly apply to healthcare providers.

As most healthcare providers are “creditors” with “covered accounts”, they will require under the Red Flag Rules a written program to identify and address the red flags that would indicate identity theft.

What Type of Written Plan Do You Need to Comply

While the statute does not specifically identify requirements for written plans, the Red Flag Rules provide guidelines that list the issues you should consider in developing and maintaining an effective program, which are:

  • identify and detect relevant red flags (includes alerts, notifications or warnings from a consumer agency, suspicious documents, personally identifiable information, suspicious activity to a covered account or notice from patients);

  • prevent and mitigate identity theft (includes monitoring accounts and educating staff on catching identity theft and monitoring); and update your program periodically.

Program Approval

Unlike your standard compliance plan, the Federal Trade Commission requires that your Red Flag Rules program be approved by the entity Board or by a senior employee if the practice is not incorporated.

Penalties for Noncompliance

Failing to comply with the Red Flag Rules does not have criminal implications but you may be subject to civil monetary penalties. However, should you be found to be in violation of the Red Flag Rules you may be drawing unwanted attention to your practice from other agencies along with the Federal Trade Commission.

For additional information about the Red Flag Rules or for assistance in developing a compliance plan for your office that address the Red Flag Rules please contact Jennifer Kirschenbaum at (516) 747-6700 or at Jennifer@KirschenbaumEsq.com.