“Red Flag Rules” Apply to LTACHs: August 1, 2009 Implementation Deadline Quickly Approaching

Posted by Jason Greis on July 26, 2009 under Articles | Be the First to Comment | Print Print

The new deadline for health care providers, including LTACHs and other post-acute care providers, to comply with the “Red Flag” identity protection rules (the “Rules”), which were first published by the Federal Trade Commission (“FTC”) in 2007 as part of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) is quickly approaching.  On August 1, 2009, “financial institutions” and “creditors” covered by the Rules will be required to implement a written Identity Theft Prevention Program (“Program”) to define, detect, and respond to “Red Flags” in order to prevent and/or mitigate identity theft.  Failure to comply with the Rules can result in the assessment of civil monetary penalties for violations. 

The FTC announced on April 30, 2009 that it was delaying the May 1, 2009 implementation of the Rules until August 1, 2009.  The previously May 1, 2009 implementation deadline was itself an extension from the original November 1, 2008 implementation date.  Some commentators have speculated that further implementation delays until January 1, 2010 may be possible.

According to the FTC, a “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft.  Red flags include:

  1. alerts, notifications, or warnings from a consumer reporting agency;
  2. suspicious documents and/or personally identifying information (e.g., an inconsistent address or a nonexistent Social Security number);
  3. unusual use of, or suspicious activity relating to, a patient account; and
  4. notices of identity theft from patients or law enforcement authorities.

The Red Flag Rules Apply to LTACHs

The Rules apply to “financial institutions” and “creditors” with “covered accounts.”  Under the Rules, a “creditor” is any entity that regularly extends, renews, or continues credit, or accepts payment for goods and services.  If an LTACH permits payment for medical services provided to a patient after those services are provided, and/or over a period of installment payments, then it is considered to be a creditor for purposes of the Rules.  LTACHs that accept insurance are also considered creditors if their patients are ultimately responsible for medical fees.  However, LTACHs are not creditors under the Rules if they merely accept credit cards as a form of payment.  

An LTACH or other health care provider that is a “creditor” under the Rules must also determine if it has “covered accounts.”  There are two types of covered accounts.  One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions.  Patient accounts are considered accounts for personal purposes.  If a patient can make installment payments, then a covered account exists.  The other type of account is one for which there is a foreseeable risk of identity theft.  

One unique question faced by post-acute care providers, including LTACHs, SNFs, and HHAs, is whether such entities may assume STACHs and doctors referring patients to such providers performed all proper identity theft screening.  Because the Rules hold each provider responsible for maintaining compliance, post-acute care providers must have their own Red Flag policies, procedures and Program, and may not rely upon the policies, procedures, and Programs of referring providers and physicians.

Implementing an Identity Theft Prevention Program

LTACHs that qualify as creditors that have covered accounts must develop and implement a Program designed to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of a covered account.  The Rules are flexible and allow covered health care providers to establish a Program that is appropriate given the size and complexity of their organizations, and the nature and scope of their activities.  All Programs, however, must include “reasonable policies and procedures” to:

  1. Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program;
  2. Detect Red Flags that have been incorporated into the Program;
  3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
  4. Ensure that the Program is updated periodically, to reflect changes in risks to consumers or patients.

The Program must also be: (i) approved by the LTACH’s Board of Directors, or appropriate committee or management; (ii) managed by the Board of Directors or senior employees; (iii) include appropriate staff training; and (iv) provide for oversight of any subcontractor service providers or vendors.  Once a year, a written report on the Program should be submitted to the Board, committee, or management discussing any compliance concerns by contracted vendors, any incidents regarding identity theft, and any recommended changes to the Program.

More information regarding the Red Flag Rules is available on the FTC’s website.  The FTC has also created a useful F.A.Q. Guide answering commonly asked questions regarding the Rules,  a manual entitled Fighting Fraud with the Red Flag Rules:  A How-To Guide for Business, which provides many answers for LTACHs in the process of creating and implementing their Program, and a site specifically dedicated to health care providers’ questions regarding the Rules. 

Please contact me if questions arise regarding how to implement an effective Red Flag Rules Identity Theft Prevention Program.

Jason S. Greis, Esq.
McGuireWoods LLP
312.849.8217

Tags: , , , , , , , , , , , , , ,

Comments are closed.

home top