Medical groups oppose federal identity theft prevention policy

Despite their objections, many health care providers may be considered creditors by the FTC and therefore must abide by the Red Flags Rule.

Alan E. Reider

Allison Weber Shuren

As of Aug. 1, health care professionals are potentially at risk of federal sanctions if they have not adopted and implemented a written program to prevent identity theft.

According to the Federal Trade Commission (FTC), health care providers that regularly bill patients for services after they are rendered are “creditors” within the meaning of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and thus must establish a comprehensive identity theft prevention program as required by the FACTA “Red Flags Rule.”

In an extended enforcement policy statement issued on April 30, the FTC acknowledged that many entities subject to its jurisdiction, including members of the health care industry, are still uncertain whether they could be categorized as creditors under the Red Flags Rule. To give them more time to come into compliance, the FTC has extended by an additional 3 months (until Aug. 1) the date for its enforcement of the rule. However, despite vigorous protest by members of the health care community, the agency remains insistent that the rule applies to many health care professionals and that their compliance will be required as of that date.

Nancy L. Perkins

The American Medical Association and a large group of other medical associations have protested the FTC’s position with respect to coverage of health care professionals, as well as the manner in which the agency promulgated the Red Flags Rule. They wrote to the FTC last year to voice their objections and subsequently met with FTC staff members to discuss their concerns.

After that meeting, in a letter dated Feb. 4, the acting director for the FTC’s Bureau of Consumer Protection rejected the AMA’s views and stated, in no uncertain terms, that health care professionals may be creditors within the meaning of FACTA and thus subject to the rule. According to the FTC, the “plain language and purpose” of the Red Flags Rule dictate that health care professionals are creditors for purposes of the rule when they “regularly defer payment for goods or services.”

FTC’s interpretation

The FTC’s position is based on FACTA’s definition of creditor as “any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”

Under FACTA, “credit” means “the right granted by a creditor to a debtor to defer payment of debt … or to purchase property or services and defer payment therefore.” According to the FTC, because many health care professionals regularly bill their patients or other clients for their services after those services are rendered, they clearly meet the FACTA definition of creditor. Indeed, the FTC argues, Congress would have had to exclude health care professionals explicitly from FACTA’s definition of creditor for them to be exempt from the Red Flags Rule.

The FTC’s interpretation of the Red Flags Rule has widespread significance for the health care industry, as the AMA and the other medical associations involved in the debate clearly recognize. In a Feb. 23 response to the FTC’s Feb. 4 letter, the AMA accused the FTC of imposing an “unjustified, unfunded mandate on physicians” and warned that subjecting health care providers (including hospitals) to the rule could have “serious adverse consequences on patients’ access to our health care delivery system and services.”

The AMA argued that the health care claims process is not a “deferral” of payment process; rather, it is a contractually governed system of obligations among patients, health insurance carriers and physicians, all overlaid by federal and state requirements for prompt payment.

The AMA also claimed that the FTC failed to comply with the federal Administrative Procedure Act by adopting the Red Flags Rule without explicitly stating that health care providers that allow deferred payment for their services were creditors under the rule. As of April 30, the FTC has not publicly responded to this AMA correspondence.

How to become compliant

In the absence of any indication that the FTC will change its position regarding the Red Flags Rule’s application to health care professionals, the immediate questions for members of the health care community are (1) whether they meet the rule’s definition of a creditor and (2) if so, what they need to do to come into compliance with the rule by Aug. 1.

On the first question, health care professionals — including hospitals, clinics, physicians, etc. — should conclude that they are creditors if they regularly provide products or services to one or more persons without first receiving payment. On the second question, the answer depends to a large extent on the nature of the “accounts” the creditor maintains with respect to the deferred payment.

Under the Red Flags Rule, those accounts (termed “covered accounts”) must be carefully guarded through a variety of measures to protect against the risk of identity theft to the person whose payment was deferred. Those measures must be detailed in a written identity theft prevention program that is approved by the creditor’s board of directors or a committee thereof (or, if there is no board of directors, a designated employee at the senior management level) and implemented, administered and overseen by senior management on a continuing basis.

In connection with its identity theft prevention program, each financial institution or creditor must establish policies and procedures to (1) identify any pattern, practice or specific activity that indicates the possible existence of identity theft risk (ie, red flags); (2) detect those red flags through vigorous monitoring; (3) respond appropriately to any red flags detected (ie, take steps to prevent identity theft from occurring or to mitigate its harm); and (4) ensure that the program is updated periodically to reflect changes in possible risks or in the accounts themselves.

The Red Flags Rule provides a non-exclusive list of 26 examples of red flags that a creditor should consider including in its program. Although the 26 examples do not specifically refer to medical information, as the promulgating agencies explained, “creditors in the health care field may be at risk of medical identity theft (ie, identity theft for the purpose of obtaining medical services) and, therefore, must identify red flags that reflect this risk.”

To ensure accuracy in determining whether and to what extent the Red Flags Rule applies and in designing and implementing an appropriate identity theft prevention program, input from legal counsel is critical to ensure compliance. Any loopholes in the required compliance measures could result in substantial federal penalties. Further, although there is no private right of action to enforce the rule, its standards could potentially be used as a basis for claims of violations (including class action claims) of generally applicable state consumer protection laws.

• Nancy L. Perkins, JD, can be reached at Arnold & Porter LLP, 555 12th St., NW, Washington, DC 20004-1206; 202-942-5065; e-mail: nancy.perkins@aporter.com.