Red Flags Rule

The Federal Trade Commission’s (FTC’s) “Red Flags” rule, which takes effect on August 1, 2009, will affect most medical practices. Review the rule’s implications before developing new policies or plans. You should also review any existing policies to see if they are still appropriate given the new Red Flags requirements.

What is a Red Flag? As part of the FTC’s implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003, medical providers may need to require “creditors” to establish a program to prevent identity theft in their practices. The program must incorporate Red Flags – that is, indicators of a possible risk of identity theft.

The rule defines a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” The FTC interprets this to include a medical provider if the provider does not regularly demand payment in full for services or supplies at the time of service. This includes, for example, a provider who bills a patient’s insurance company before requesting payment in full. In the FTC’s February 4, 2009 correspondence to the AMA and other physician organizations, it reinforced this point by stating:

"When a physician submits a claim to an insurance carrier first and then bills any remaining unpaid amounts to the patient – whether she does so as a courtesy to the patient or because she is required to do so as a matter of contractual or state law – the physician is deferring the consumer’s payment of his or her share of the claim (i.e., the physician is billing the patient after having provided the patient with medical services."

The FTC considers a physician who engages in this type of arrangement to be a creditor for purposes of the Red Flags rule.

The FTC produced this Complying with the Red Flags Rule worksheet to help you decide if you are a "creditor" according to this Rule. (in PDF format.)

If you determine that you are a creditor, you then need to figure out if you maintain “covered accounts.” As defined in the regulations, covered accounts are accounts that permit multiple payments or transactions and that pose a reasonably foreseeable risk to customers or to the safety and soundness of medical practices from identity theft. Identity theft can include financial, operations, compliance, reputation or litigation risks. The FTC considers patient billing records to be “covered accounts.”

If you determine that you qualify as a creditor who maintains covered accounts, the Red Flags rule applies. Your practice must develop an identity-theft prevention program that contains “reasonable policies and procedures” (which may incorporate existing policies and procedures) to achieve the goals of the Red Flags rule:

In the February 2009 correspondence to the medical community, the FTC noted that due to the risk-based nature of the requirements, it did not believe the rule would impose significant burdens on most providers. It gave examples of a low-risk practice (a small practice with a limited, well-known patient base) and a high-risk practice (a clinic in a large metropolitan area that treats a high volume of patients). It stated that in low-risk practices, an appropriate program might involve checking photo identification and having policies to deal with the theft of a patient’s identity (including not trying to collect the debt from the patient and separating the medical records of the real patient from those of the identity thief).

Two Samples of a Red Flags Rule Policy

If you decide that you need a Red Flags Rule policy in your Office Procedures Handbook, here is some help. SCCMS has permission from both of these organizations for our members to copy and change these policies to fit your office. Just use the one you like best.

Identity Theft Prevention Program (ITPP) Policy from the San Diego County Medical Society.  (In .doc format)

Santa Cruz Orthopaedic Institute's Red Flags Rule policy.  (In .doc format)

AMA- Red Flags Rule Guidance Material

The Federal Trade Commission (FTC) continues to assert that physicians who regularly bill their patients (including co-payments and coinsurance) are considered creditors and so must develop and implement written identity theft prevention and detection programs for their practices by August 1, 2009, in order to be in compliance with the FTC’s Red Flags (Rule). The American Medical Association strongly disagrees with the FTC’s broad interpretation of the term “creditor.” We are continuing our efforts to delay the compliance deadline and to get FTC to re-publish the Rule so that medicine will have an opportunity to explain why this Rule is not applicable to physicians.

The AMA developed guidance material to help physicians comply with the Red Flags Rule, which can be accessed on the AMA web site. The AMA updates this page regularly.

For problems/suggestions about this web site contact the webmaster.