.svg?rev=a492cc1069df46bdab38f8cb66573f1c&hash=2617C9FE8A7B0BD1C43269B5D5ED9AE2)
On July 29, 2009, the Federal Trade Commission (FTC) announced that it will delay enforcement of the "Red Flags Rule" ("Rule") until November 1, 2009, to give affected institutions, including some health care providers, additional time to develop and implement written identity theft prevention programs.
The Rule requires "creditors" who maintain "covered accounts" to implement a written identity theft prevention program. Health care providers that bill insurance companies before requesting payment from the patient or offer alternative payment plans to a patient will be considered a creditor under the Rule.
A health care provider offers or maintains covered accounts if the provider establishes a continuing relationship with a patient and creates or maintains an account for such patient that allows for multiple payments or transactions. Covered accounts also include any accounts that the health care provider creates or maintains for which there is a reasonably foreseeable risk to patients of identity theft, including patient billing or payment accounts.
Implications for Health Care Providers
Health care providers should review the requirements of the Rule and, if affected, work with legal counsel to implement a compliant program before November 1, 2009.
To assist with compliance, the FTC has developed an online compliance template for entities with a low risk of identity theft. The FTC has also posted frequently asked questions and answers regarding enforcement of the Rule on its Web site. Of particular interest to health care providers, the FTC stated that its staff would be unlikely to recommend bringing a law enforcement action if the entity, such as a health care provider, knew its patients individually.
For more information, please visit the FTC Web site or click here.