Medical groups oppose federal identity theft policy
Many physicians denoted as creditors and liable for identity theft under FTC’s Red Flag Rule.
Click Here to Manage Email Alerts
Health care professionals are potentially at risk of federal sanctions if they had not implement a written program to prevent identity theft by August 1. According to the Federal Trade Commission (FTC), health care providers who regularly bill patients for services after they are rendered are “creditors” within the meaning of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and thus must establish a comprehensive identity theft prevention program as required by the FACTA “Red Flags Rule.”
In an extended enforcement policy statement issued on April 30, the FTC acknowledged that many entities subject to its jurisdiction, including members of the health care industry, are still uncertain whether they could be categorized as “creditors” under the rule. To give them more time to come into compliance, the FTC has extended its enforcement by an additional 3 months (until Aug. 1). Even though members of the health care community have voiced vigorous protest, the agency remains insistent that the rule applies to many health care professionals.
Misguided position
The American Medical Association (AMA) and a large group of other medical associations believe the FTC’s position with respect to coverage of health care professionals is misguided, and also object to the manner in which the agency promulgated the Red Flags Rule. They wrote to the FTC last year to voice their objections, and subsequently met with commission staff to discuss their concerns.
Following that meeting, the acting director for the FTC’s Bureau of Consumer Protection, in a Feb. 4 letter, rejected the AMA’s views and state, in no uncertain terms, that health care professionals may be creditors within the meaning of FACTA and thus subject to the rule. According to the FTC, the “plain language and purpose” of the Red Flags Rule dictate that health care professionals are covered by the rule when they “regularly defer payment for goods or services.”
The FTC’s position is based on FACTA’s definition of creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”
Under FACTA, credit means “the right granted by a creditor to a debtor to defer payment of debt … or to purchase property or services and defer payment therefore.” According to the FTC, because many health care professionals regularly bill their patients or other clients for their services after those services are rendered, they clearly meet the FACTA definition of creditor. Indeed, the FTC argues, Congress would have had to exclude health care professionals explicitly from FACTA’s definition of creditor for them to be exempt from the Red Flags Rule.
Serious consequences
The FTC’s interpretation of the Red Flags Rule has widespread significance for the health care industry, as the AMA and the other medical associations involved in the debate clearly recognize. In a response to the FTC’s letter, the AMA accused the FTC of imposing an “unjustified, unfunded mandate on physicians” and warned that subjecting health care providers (including hospitals) to the rule could have “serious adverse consequences on patients’ access to our health care delivery system and services.” The AMA argued that the health care claims process is not a deferral of payment process; rather, it is a contractually governed system of obligations among patients, health insurance carriers, and physicians, all overlaid by federal and state requirements for prompt payment.
The AMA also claimed that the FTC failed to comply with the Federal Administrative Procedure Act by adopting the Red Flags Rule without explicitly stating that health care providers who allow deferred payment for their services were creditors under the rule. As of April 30, the FTC has not publicly responded to this AMA correspondence.
Given the compliance deadline and the absence of any indication that the FTC will change its position regarding health care professionals when this issue of Orthopedics Today went to press, the immediate questions for members of the health care community are whether they meet the rule’s definition of a creditor and, if so, what they need to do to come into compliance with the rule.
On the first question, health care professionals should conclude that they are creditors if they regularly provide to one or more persons products or services without first receiving payment. On the second question, the answer depends to a large extent on the nature of the accounts the creditor maintains with respect to the deferred payment.
Identity theft prevention
Under the Red Flags rule, those accounts (termed covered accounts) must be carefully guarded through a variety of measures to protect against the risk of identity theft to the person whose payment was deferred. Those measures must be detailed in a written identity theft prevention program that is approved by the creditor’s board of directors or committee thereof (or, if there is no board of directors, a designated employee at the senior management level) and implemented, administered and overseen by senior management on a continuing basis.
In connection with its program, each financial institution or creditor must establish policies and procedures to identify any a pattern, practice, or specific activity that indicates the possible existence of identity theft risk, detect those red flags through vigorous monitoring; respond appropriately to any red flags detected (ie, take steps to prevent identity theft from occurring or to mitigate its harm); and ensure that the program is updated periodically to reflect changes in possible risks or in the accounts themselves.
The rule provides a nonexclusive list of 26 examples of red flags that a creditor should consider including in its program. Although the 26 examples do not specifically refer to medical information, as the promulgating agencies explained, “creditors in the health care field may be at risk of medical identity theft (ie, identity theft for the purpose of obtaining medical services) and, therefore, must identify red flags that reflect this risk.”
Both to ensure accuracy in determining whether, and to what extent, the Red Flags Rule applies and in designing and implementing an appropriate identity theft prevention program, input from legal counsel is critical to ensure compliance. Any loopholes in the required compliance measures could result in substantial penalties. Furthermore, although there is no private right of action to enforce the rule, its standards could potentially be used as a basis for claims of violations (including class action claims) of generally applicable state consumer protection laws.
For more information:
- Nancy L. Perkins is counsel in the Washington, D.C. law firm Arnold & Porter LLP. She can be reached at Arnold & Porter LLP, 555 12th St. NW, Washington, DC 20004; e-mail: nancy.perkins@aporter.com.