Prepared by Krystyna Nowik, Esq.
Health care providers and the Identity Theft Red Flags and Address Discrepancies Final Rule (“Red Flags Rule”) have had a drawn-out and bumpy history together. Considerable uncertainty with regard to what entities were or should be considered creditors within the meaning of the Red Flags Rule resulted in multiple delays in the effective date and several legal challenges to the Red Flags Rule (e.g., the American Bar Association (ABA) and its applicability to attorneys and the American Medical Association (AMA) and its applicability to physicians).
On December 18, 2010, the Red Flag Program Clarification Act was passed for the sole purpose of narrowing the definition of creditor and providing some clarification as to what entities would be subject to the Red Flags Rule. The Red Flag Program Clarification Act does not explicitly exclude physicians, hospitals or other types of professionals or entities who had challenged the Red Flags Rule applicability. However, it revises the definition of creditor to mean:
(1) a creditor as defined by section 702 of the ECOA (e.g., any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit) that regularly and in the ordinary course of business:
a. obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
b. furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; OR
c. advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
(2) that does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; AND
(3) includes any other type of creditor…as the agency…may determine appropriate…based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Under this new definition, attorneys and other entities will not be considered a creditor for purposes of the Red Flags Rule. Additionally, many physicians and hospitals may not be subject to the Red Flags Rule. However, the exemption does NOT necessarily let all health care providers off the hook.
Entities will still need to look at whether they "regularly and in the ordinary course of business" obtain or use consumer reports or furnish information to consumer reporting agencies as well as whether they are advancing funds that will need to be repaid by the person. This potentially means that hospitals or physician groups that routinely submit information on non-paying patients to collection agencies which in turn submit such information to a credit reporting agency WILL be subject to the Red Flag Rules.
In addition, further guidance is likely to be issued by the FTC regarding the applicability of the new creditor definition and other types of creditors with regard to “reasonably foreseeable risk”. Additionally, no guidance is provided by the Red Flag Program Clarification Act as to what “regularly and in the ordinary course of business” means. However, although the American Hospital Association believes hospitals are clearly exempt from the Red Flags Rule by the new definition, hospitals who engage in billing and collection practices should be prepared to comply as of January 1, 2011 in the event such activities would qualify the hospital as a “creditor” or in the event the FTC through rulemaking expressly covers hospitals under the “reasonably foreseeable risk” of identity theft provision.
In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent potential harm to the victim. When dealing with medical identity theft, the stakes can be much more than just financial loss -- it can potentially cost a person their health, or life. Where multiple providers are connected through and HIO and engaging in HIE, the risks and harm resulting from identity theft may be multiplied. Therefore, irrespective of whether a provider is or is not directly subject to the FTC assessing penalties for noncompliance, implementing a Identity Theft Prevention Program is a good idea from the standpoint of risk management, and patient care.
For a great video on Medical Identity Theft, watch this news report from CBS3. For more information about the Red Flags Rule, click "Continue Reading" below.