FTC Red Flag rules may apply to certain medical group practices

As part of the Federal Trade Commission (FTC)'s implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003, medical providers may need to comply with the "Red Flag Rules," which require creditors to establish a program to prevent identity theft by Nov. 1, 2008. In a conference call today, an attorney for the FTC finally provided guidance as to when a provider meets the definition of a "creditor." Until this call, it was unclear how this regulation may apply to health care providers.

The FTC regulation defines a creditor as an entity that regularly extends, renews, continues credit or arranges for the extension of credit. The FTC would include a medical provider in this definition if the provider does not regularly demand payment in full for services or supplies at the time of service, which, according to the FTC, would be considered extending credit. The FTC attorney said there is no "bright line" rule for determining whether a practice meets this definition; rather it is determined on a case-by-case basis.

If a provider is considered a creditor, the FTC stated that the next determining question will be whether the provider maintains covered accounts of its patients. The FTC defines a covered account as a consumer account designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk of identity theft. For a medical practice, this includes patient billing records. 

If a practice determines it qualifies as a creditor, the Red Flag Rules apply. The practice would be required to develop an identity theft program that contains "reasonable policies and procedures" to:

• Identify relevant patterns, practices, and specific forms of activity that are "red flags," signaling possible identify theft;
• Detect these patterns, or "red flags";
• Respond to those detected to prevent and mitigate identity theft; and
• Ensure the program is updated periodically to reflect changes in risks.

In administering such a program, a creditor would need to:

• Obtain approval of the program from its board or board committee;
• Involve the board or senior management designee(s);
• Train staff; and
• Exercise oversight of service provider arrangements. 

The FTC stressed that an identity-theft prevention program could be flexible and based on the relative risk of identity theft in a practice's location and patient population. The requirements of this rule may also overlap with some of the requirements of the Health Insurance Portability and Accountability Act (HIPAA). For example, oversight of service providers could be through a modified HIPAA business associate agreement. 

Because this regulation and the law it's based on were originally aimed at financial institutions, it has been unclear as to how it would be applied to health care providers. MGMA and 26 national medical associations recently submitted a letter to the FTC requesting clarification about whether or not this rule applies to medical providers. MGMA will continue working with the FTC and the provider community to determine the applicability of this regulation to medical practices. Additionally, we expect the FTC and other organizations to develop an identity-theft program template. We will notify you via the MGMA Washington Connexion when this information becomes available.