NOTE:  The Federal Trade Commission will suspend enforcement of the second of three rules under the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions additional time to develop and implement written identity theft prevention programs.  This announcement came on October 23, and is a late addition to the following article.

On December 4, 2003, the President signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) into law.  It added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA).  In November of 2007, the group of implementing agencies issued a final rule implementing the Act.  (The rule is Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Joint Final Rules and Guidelines, 72 Federal Register 63718, November 9, 2007.)

The “Red Flag Rule” is actually three different but related rules. The first rule applies to nursing facilities and assisted living facilities (hereinafter both referred to as “facilities”) that use credit reports.  The second rule, pertaining to creditors, may apply to facilities.  There is some uncertainty regarding its application, and the American Health Care Association/National Center for Assisted Living (AHCA/NCAL) is seeking an FTC opinion.  The third and last rule, involving credit cards, does not apply to facilities.  It is only recently that the Federal Trade Commission (FTC) has indicated the applicability of the rule to the health care sector.  The FTC will be the agency that enforces the rules for the health care provider.

The mandatory compliance date for the three rules under the “Red Flag Rule” was originally November 1, 2008. This date is now only applicable to the first part of the rule – the address discrepancy rule.  The second rule – the creditor rule – is delayed until May 1, 2009.

The first rule is referred to as address discrepancies or verification of address.  Users of consumer reports must develop reasonable policies and procedures to respond to any notice of an address discrepancy they receive from a consumer reporting agency.  This rule applies to facilities only to the extent they use consumer reports; i.e. credit reports (for example to screen potential employees).  Under this rule, criminal background checks are not considered consumer reports.

The second rule requires that financial institutions and creditors holding consumer or other “covered accounts” must develop and implement a written identity theft prevention program that covers both new and existing accounts.  This rule may apply to facilities since the FTC currently appears to consider health care entities to be “creditors.”  However, AHCA believes there are strong reasons why facilities should not be considered creditors under FACTA and is addressing this issue directly with the FTC.  In the interim, we believe it is important for facilities to become familiar with the rules and to take steps towards compliance.

The rules are referred to as red flag rules because the meaning of the term “red flag,” provided in the regulation, is a pattern, practice, or specific activity that indicates the possible existence of identity theft.  Thus, the identity theft programs must include a list of red flags pertinent to the nature, size and complexity of the entity.

As facilities become familiar with the rules, in preparation for developing an identity theft program, we advise that they review their compliance with the Health Insurance Portability and Accountability Act (HIPAA).   There may be features of a facility’s HIPAA compliance program that, while not substituting for an identity theft program, might nevertheless complement the identity theft program and could be useful in meeting the requirements of the red flag regulations.

We have posted on our website a comprehensive memorandum on the red flag rules prepared by AHCA’s General Counsel, Reed Smith.  The memo includes two attachments:  (1) A sample form/checklist to help with compliance with the rule regarding consumer reports.  (2) Illustrative examples of red flags provided in the final rule to assist with compliance with the rule covering “creditor.”  We have also posted a summary document prepared by AHCA of the applicable rules and some suggestions for compliance.

What happens if you do nothing??  Under FACTA, the FTC is authorized to bring civil actions in federal court for violations for up to $2,500 for each separate violation.  Additionally, the State Attorneys General are authorized to bring civil actions for their state residents and may recover up to $1,000 per violation and attorney’s fees if successful.

To our knowledge, there are no plans to actively audit organizations; however, historically, a negative event, such as a security breach, an employee reporting noncompliance or a patient complaint could lead to an investigation by the FTC, which is typically how the FTC operates.  Once the FTC finds noncompliance, fines, future audits and ongoing obligations of reporting are possible.  Additionally, class actions under state law could follow.

Patti Cullen, CAE
952.851.2487
pcullen@careproviders.org

Our Sponsors

Resources