FTC Red Flag Rule: Does it apply to you?

Have you had your credit card stolen? Or maybe new checks were taken from your mailbox after they were delivered to your home. Perhaps you received a call from a zealous credit card company asking about suspicious charges on one of your credit card accounts. If you have had this happen, you well know that the result is at best an inconvenience; at worst your credit could be damaged significantly for years to come.

3.7 percent of the participants in a 2006 survey performed by the Federal Trade Commission indicated that they had discovered they were victims of identity theft during 2005. This amounts to approximately 8.3 million U.S. adults who found that someone had inappropriately tried to use their personal information. We all know that number is not going down.

In November 2007, the Federal Trade Commission (FTC) issued a rule to help prevent identity theft. For those organizations to whom it applies, the Red Flags Rule must be implemented by May 1, 2009. Obviously, you need to determine right away if the rule applies to you. You should not assume that it does not apply.

According to the April 23, 2009 Public Policy Update of the National Council for Behavioral Healthcare, the Red Flags Rule was written to require organizations to be on the lookout for warning signs of identity theft, to do what is possible to prevent the crime, to mitigate the effects of the crime if it occurs, and to have a formal, written plan that they follow to these ends.

Many healthcare organizations felt that the HIPAA requirements for the protection of sensitive patient information were adequate and that they should not be required to adhere to the Red Flags Rule. The American Medical Association (AMA) argued that position to the FTC. Unfortunately, the FTC ruled that the AMA’s arguments did not fly. If a healthcare provider regularly defers payments for goods or services (that is, if they routinely allow clients to receive services now and pay off the charges over time), then they are a creditor under the terms of the rule and the provider organization must therefore comply. It is highly likely that the billing practices of most psychologists, psychiatrists, social workers and many community behavioral health organizations will require that they be considered creditors under this rule, and must comply with the rule.

It is possible that you already take most of the actions that the rule requires; however, the rule mandates that you have a written policy and that you implement a program to protect and monitor patient information for possible identity theft.

Please take a look at the 17-page guide to determine how this rule applies to you.

Have you already drafted and implemented such a plan to protect your clients from identity theft? If you have, are you willing to share a bit of your experience?