Red Flags rule begins Aug. 1

May 15, 2009

FTC's August 1 enforcement of Red Flags rules to reduce identity theft requires healthcare providers to have written policies on how they will respond to the "red flags" of identity theft.

More than 8.3 million Americans are victims of identity theft each year, of which 4.5% or 332,000, are thought to suffer medical identity theft-usually someone pretending to be another person in order to gain access to the person’s health insurance coverage.

On August 1, the Federal Trade Commission (FTC) begins enforcing the “Red Flags” rule, designed to reduce identity theft. The rule requires certain kinds of businesses-including most physicians’ practices, hospitals, and other healthcare providers-to have written policies in place describing how they will identify and respond to warning signs-red flags-of identity theft. Businesses found not to be complying with the rule could face fines or other civil penalties.

The FTC, in its guidelines for how to comply with the rule, lays out four general categories of warning signs of identity theft. These include alerts, notifications or warnings from a consumer reporting agency; suspicious documents; suspicious forms of personal identification; and notifications from customers, victims of identity theft, and law enforcement authorities about possible identity theft.

Steven Kern, a partner in the law firm Kern Augustine Conroy & Schoppmann P.C. in Bridgewater, N.J., explains that compliance with the rule requires a program that will identify and detect relevant red flags, and mitigate the consequences of identity theft if it occurs. In addition, Red Flags programs must be updated periodically and be approved by the business’s board of directors, shareholders or-as is the case with most medical practices-senior partner.

Anjali Baxi, an attorney with Health Care Law Assoc. in Plymouth Meeting, Pa., notes that the majority of medical practices and hospitals already take steps to ensure that patients are who they say they are, such as requiring presentation of a form of photo ID with their insurance card.

“This is just an extra step in terms of making sure the process is more airtight,” she says.

Naomi Lefkovitz, an attorney in the FTC’s division of privacy and identity protection, says businesses do not need to submit their plans to the commission.

“If we are called in to investigate a case of identity theft, at that point we would probably ask to see the written program,” she says.

Several medical societies and organizations representing healthcare providers have protested the FTC’s interpretation of the rule as applying to their members, but as of mid-April the commission had not altered its position.

Robert Zirkelbach, a spokesman for America’s Health Insurance Plans (AHIP), says the organization has no comment on implementation of the Red Flags rule.