Health Law Alert: Identity Theft Red Flag Program Compliance Deadline Rapidly Approaching
4/23/2009
There has been significant confusion within the health care community as to whether hospitals and other health care providers are subject to the Federal Trade Commission’s (FTC) Red Flag Regulations, and if so, what those regulations require. The May 1 deadline is rapidly approaching and the confusion continues.
The FTC and the American Medical Association (AMA) have been locked in a disagreement regarding industry compliance. In February, the FTC stated in a letter to the AMA that it abides by its earlier position stating that Red Flag Regulations apply to health care. The AMA has “strongly objected” to the FTC’s interpretation and asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure.
Telephone discussions with FTC staff have not shed any further light on this situation, and the FTC’s position has been firm:
“Health care providers are creditors if they bill consumers after their services are completed. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.”
The FTC's recent response to the AMA and its earlier statements regarding health care providers as “creditors” under the Red Flag Regulations combine to emphasize the importance of compliance. Notably, the FTC has stated that if there is not full payment at the time of the rendering of services, it is a “credit” transaction and thus covered by the Identity Theft Red Flag Regulations. This includes payment of co-payments and deductibles that are the obligation of the patient. Given the impending May 1 deadline, providers should be proceeding to develop and implement compliance programs with all due speed.
The Identity Theft Red Flag Regulations require covered entities to implement a risk-based program to detect and respond appropriately to signs of identity theft based on billing and collection practices. These obligations are separate and apart from health care provider obligations under HIPAA. The FTC has identified new patient accounts as a particular area of risk for health care providers. Because the Identity Theft Red Flag Regulations specifically permit compliance programs that are risk-based, individual programs need only be scaled to the level of risk of identity theft faced by their patients within the institution or medical practice. If the risk is low, the identity theft program can be streamlined commensurate with such risk. But, because patient intake and record retention systems differ from one provider to the next, the risk assessment exercise must be conducted by the institution or provider to ensure that any program (or a determination that “no program” is the correct response) is tailored to the actual experience of that institution or provider. See the FTC’s February, 2008 article for a discussion of the applicability of the Identity Theft Red Flag Regulations to health care providers.
Failure to comply with the Red Flag Rules can result in various penalties. An identity theft event such as a data breach or an unhappy (or former) employee reporting non-compliance to the FTC could subject a health care provider to enforcement actions. Consequences may include a civil money penalty for each violation, regulatory enforcement action, and negative publicity. Although the Rules do not allow for any private legal action, there is the potential for private plaintiff lawsuits because a violation of federal rules may itself be a violation of state laws. These state laws may permit actions by consumers or state attorneys general. In any event, it is likely that, over time, the Red Flag Rules will become a de facto standard of care applied to determine whether a company has negligently caused a customer’s identity to be stolen.
Mintz Levin Can Help
Mintz Levin can assist with Red Flag compliance. We can help conduct risk assessments and develop or review your Red Flag program and policies, including employee training; advise on duties to detect, prevent, and mitigate identity theft; analyze and prepare vendor agreements that comply with your Red Flag duties; and advise senior management on responsibilities under the regulations.
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
MEMBERS
Robert D. Clark
Managing Member, Health Law Practice
(202) 434-7402
RDClark@mintz.com
Stephen M. Weiner
Chairman, Health Law Practice
(617) 348-1757
SWeiner@mintz.com
Susan W. Berson
Managing Member,
Washington, D.C. Office
(202) 661-8715
SBerson@mintz.com
Thomas S. Crane
(617) 348-1676
TSCrane@mintz.com
Stephen C. Curley
(212) 692-6217
SCCurley@mintz.com
Deborah A. Daccord
(617) 348-4716
DADaccord@mintz.com
Hope S. Foster
(202) 661-8758
HSFoster@mintz.com
Ellen L. Janos
(617) 348-1662
EJanos@mintz.com
Karen S. Lovitch
(202) 434-7324
KSLovitch@mintz.com
M. Daria Niewenhous
(617) 348-4865
DNiewenhous@mintz.com
Andrew B. Roth
(212) 692-6889
ARoth@mintz.com
OF COUNSEL
Michael D. Bell
(202) 434-7481
MDBell@mintz.com
Margaret D. Kranz
(212) 692-6882
MKranz@mintz.com
ASSOCIATES
Stephen R. Bentfield
(202) 585-3515
SRBentfield@mintz.com
Dianne J. Bourque
(617) 348-1614
DBourque@mintz.com
Shawneequa L. Callier
(202) 585-3551
SLCallier@mintz.com
Theresa C. Carnegie
(202) 661-8710
TCCarnegie@mintz.com
Brian P. Dunphy
(617) 348-1810
BDunphy@mintz.com
Garrett G. Gillespie
(617) 348-4499
GGGillespie@mintz.com
Lauren N. Haley
(202) 434-7386
LNHaley@mintz.com
Rachel M. Irving
(617) 348-4454
RMIrving@mintz.com
Krietta Bowens Jones
(617) 348-3042
KBowensJones@mintz.com
Sarah A. Kaput
(202) 434-7423
SAKaput@mintz.com
Katina W. Lee
(202) 661-8729
KLee@mintz.com
Carrie A. Roll
(202) 434-7350
CARoll@mintz.com
Tara E. Swenson
(202) 585-3504
TESwenson@mintz.com
Andrea P. Testa
(617) 348-4407
ATesta@mintz.com
Melissa O'Neill Thatcher
(617) 348-3015
MOThatcher@mintz.com
Heather L. Westphal
(202) 585-3538
HLWestphal@mintz.com
Jennifer E. Williams
(202) 585-3542
JEWilliams@mintz.com
Nili S. Yolin
(212) 692-6799
NSYolin@mintz.com
PRIVACY AND SECURITY
Cynthia J. Larose, CIPP
(617) 348-1732
CLarose@mintz.com
