Medical Identity Theft

The Federal Trade Commission issued an announcement today that the deadline to implement the Red Flag requirements pertaining to identity theft has been delayed for six months, making the new compliance deadline May 1, 2009

In its Enforcement Policy Statement, the FTC states:

During the course of the [FTC]’s education and outreach efforts following publication of the rule, the [FTC] has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.” Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008.

Given the confusion and uncertainty within major industries under the FTC’s jurisdiction

about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the [FTC] believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial to the public. Delaying [FTC] enforcement of the rule as to the entities under its jurisdiction by six months, until May 1, 2009, will allow these entities to take the appropriate care and consideration in developing and implementing their programs. It also will give the [FTC] time to conduct additional education and outreach regarding the rule. Therefore, the Commission has determined that it will forbear from bringing any enforcement action for violation of the Identity Theft Red Flags.

Therefore, creditors, including healthcare providers that defer payment for goods and services,  now have additional time to develop and implement Red Flags for identity theft.

The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC’s Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC’s June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered ‘creditors’" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.