Posted on October 31, 2009 by Helen Oscislawski

Oh Where, Oh Where Will the Red Flag End Up (or Down)?

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule.  On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate. 

What does all the foregoing mean for the health care industry?  For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.  

Tags:
Posted on July 30, 2009 by Helen Oscislawski

Should Health Care Providers Bother with Red Flags?

    Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009.  The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.  Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement.  If the ABA were to go down that route, others could follow suit (excuse the pun). 

     So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . .  but should they?

     In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers' compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care.  In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this. 

     The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider -- and, thus, should be manageable, both from an administrative and financial standpoint.   On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized.  The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem. 

     To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

Tags: , , ,
Posted on May 1, 2009 by Helen Oscislawski

Red Flag Enforcement Delayed to August 1, 2009

This morning, the Federal Trade Commission (FTC) announced it will delay (again) enforcement of the new “Red Flags Rule,” now until August 1, 2009 to give affected entities more time to comply. In the press release, FTC Chairman Jon Leibowitz said:

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC release points out that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

The news Release states that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC will be releasing templates to help them comply with the law. The FTC also already has a number of materials posted to help explain what types of entities are covered by the FTC Red Flag Rules and to provide guidance. See: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm and www.ftc.gov/redflagsrule.

Tags:
Posted on October 22, 2008 by Helen Oscislawski

IDENTITY THEFT RED FLAG COMPLIANCE DEADLINE DELAYED TO May 1st.

The Federal Trade Commission issued an announcement today that the deadline to implement the Red Flag requirements pertaining to identity theft has been delayed for six months, making the new compliance deadline May 1, 2009

In its Enforcement Policy Statement, the FTC states:

During the course of the [FTC]’s education and outreach efforts following publication of the rule, the [FTC] has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.” Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008.

Given the confusion and uncertainty within major industries under the FTC’s jurisdiction

about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the [FTC] believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial to the public. Delaying [FTC] enforcement of the rule as to the entities under its jurisdiction by six months, until May 1, 2009, will allow these entities to take the appropriate care and consideration in developing and implementing their programs. It also will give the [FTC] time to conduct additional education and outreach regarding the rule. Therefore, the Commission has determined that it will forbear from bringing any enforcement action for violation of the Identity Theft Red Flags.

Therefore, creditors, including healthcare providers that defer payment for goods and services,  now have additional time to develop and implement Red Flags for identity theft.

Tags:
Posted on October 21, 2008 by Helen Oscislawski

Red Flags to Help Combat Medical Identity Theft

The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC's Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC's June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered 'creditors'" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.

Tags: ,