Red flag rules on identity theft take effect soon

A column examining the ins and outs of contract issues

By Steven M. Harrisis a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column. Posted March 30, 2009.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Effective May 1, many physicians will be required under federal law to assist the government in detecting, preventing and mitigating "red flags" of identity theft.

The Federal Trade Commission implemented the so-called red flag rules, which impose certain duties on financial institutions and creditors with the goal of curtailing the growing issue of consumer identity theft.

The rules originally were supposed to take effect on Nov. 1, 2008, but the FTC delayed them at the behest of the American Medical Association and others in organized medicine. The groups argued that the FTC's inclusion of physicians under this law is wrong. Organized medicine has continued to discuss with the FTC the necessity of taking physicians out from under these rules.

But if that doesn't happen, doctors need to be aware of what to expect.

Physicians are subject to the red flag rules if they satisfy a two-part test.

The first prong requires that the physician is a creditor. That is broadly defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."

For example, if a physician renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient, the physician is a creditor under the red flag rules.

If a physician renders medical services to a patient and accepts the patient's co-pay, the physician is a creditor, regardless of whether the physician receives payment from the insurance company. But the acceptance of credit cards as a form of payment does not, in and of itself, deem someone a creditor.

Secondly, the physician must offer or maintain covered accounts for patients.

Under the rules, a covered account is one in which a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions, and any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft.

Additionally, the creditor must have a continuing relationship with the patient before the patient's account is considered a covered account. That means a one-time patient would not constitute a continuing relationship.

In applying this definition to physicians, all patient accounts are offered for personal, family, or household purposes, and all such accounts contain personal identification information for which there is a foreseeable risk of identity theft.

These definitions of a creditor and a continuing relationship are the crux of the argument between the FTC and the AMA and other organized medicine groups. Medical associations argue that physicians weren't named specifically in the rules, and that any business that bills after providing a service to a frequent customer would be subject to them, which was not the rules' intent.

Under the red flag rules, physicians who are creditors who offer or maintain covered accounts are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft.

A red flag is defined by the FTC as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." At a minimum, the red flag rules require that the program provide policies and procedures to:

  • Identify relevant red flags and incorporate them into the program.
  • Detect red flags in patient accounts.
  • Respond appropriately to any red flags detected in patient accounts.
  • Ensure the program is updated periodically to reflect changes in risks to patients, and the safety and soundness of the physician from identity theft.

Additionally, physicians must train staff to implement the program and exercise appropriate and effective oversight of it.

Many of the same safeguards that physicians use to be HIPAA-compliant overlap with those safeguards required to comply with the red flag rules. So you might already be ahead on some of these steps.

Steven M. Harris is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn