The Federal Trade Commission (FTC) has delayed enforcement of its "Red Flags Rule" regarding identity theft until Aug. 1; are you prepared to be compliant?The rule, details of which were published in the Federal Register in late 2007, is intended to help financial institutions and creditors that offer or maintain one or more "covered accounts" to "detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account," and requires financial institutions and creditors to provide written programs along these lines.
Originally, the enforcement date for the rule was Nov. 1, 2008, but congressional pressure supported by the American Chiropractic Association and others led the FTC to delay enforcement for six months, until May 1, and then three additional months to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
How does this rule impact doctors of chiropractic and other health care providers? While some initially questioned whether physician offices fell under the rule, the FTC made clear that the rule applies to DCs and other providers in a February 2009 letter from Eileen Harrington, acting director of the Bureau of Consumer Protection, to Margaret Garikes, American Medical Association director of federal affairs:
"[W]e believe the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services. ... The ECOA [Equal Credit Opportunity Act] defines 'creditor' as 'any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original credit or who participates in the decision to extend, renew or continue credit.' 'Credit,' in turn, is defined by the ECOA as 'the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.' The Agencies concluded that the plain language of the statute covered all entities engaged in the provision of credit, as defined by the ECOA, and does not permit industry-based exclusions."
Harrington's letter, which followed an initial AMA letter challenging the FTC's position and a meeting between the FTC and representatives of the AMA and other health care provider organizations, also noted: "Given the potentially serious consequences for the health of victims, many physicians already evaluate their identity theft risk and develop, as appropriate, reasonable prevention programs. For example, some health care providers ask for photo identification at patient visits. These steps are consistent with the objectives of the Red Flags Rule."
What does an identity theft prevention program entail, and how burdensome is implementation of such a program? According to Harrington: "[W]e do not believe that the Rule would impose significant burdens for most providers. ... The Red Flags Rule is designed to be flexible and tailored to the degree of identity theft risk faced by the particular physician; in many cases, that risk may be minimal or non-existent, such that a simple and streamlined program would be adequate. For example, for most physicians in a low-risk environment, an appropriate program might consist of checking a photo identification at the time services are sought and having appropriate procedures in place in the event the office is notified - say by a consumer or law enforcement - that the consumer's identity has been misused. Such procedures might include not trying to collect the debt from the true consumer or not reporting it on the consumer's credit report, as well as ensuring that any medical information about the identity thief is maintained separately from information about the consumer."
The FTC recommends taking the following four steps when developing a rule-compliant identity theft program in your practice: identify relevant red flags (warning signs of potential identity theft), detect red flags; prevent and mitigate identity theft; and update your program periodically. Red flags include any of the following: alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious personally identifying information; suspicious activity relating to a covered account; or notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
For more information about the Red Flags Rule, including the guidelines as published in the Federal Register in November 2007, complete text of the Feb. 9, 2009 FTC letter to the AMA, and what doctors of chiropractic need to know to comply with the rule, visit www.acatoday.org, click on the search icon at the top of the page, and type in"Red Flags Rule." You can also find additional information by searching the FTC Web site: www.ftc.gov.