As reported in the October 24, 2008, issue of the Health Care Alert, the Federal Trade Commission (FTC) has suspended enforcement of the “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions the time necessary to develop and implement written identity theft prevention programs. Many, if not most, health care providers are likely subject to the Rule and so should begin preparing plans now to ensure their compliance with the statute at the time its enforcement is renewed.
Background
In November 2007, the Federal Trade Commission (FTC) issued what are known as the “Red Flag Regulations,” 16 C.F.R., §681.1, et seq. These regulations, designed to deter, detect and prevent identity theft, require financial institutions and creditors of covered accounts to establish a program to detect, prevent and mitigate identity theft. An account is a continuing relationship established by an individual to obtain a product or a service. A “covered account” is any account offered or maintained by a creditor designated to cover multiple transactions or payment. The regulations also require those using consumer reports for employment verification purposes to develop reasonable policies and procedures to respond to any notice of an address discrepancy they receive from a consumer reporting agency.
An entity may be subject to the regulations through its use of consumer reports for employment verification purposes, and/or by acting as a creditor or a financial institution. Although under the Red Flag Regulations health care providers probably would not qualify as financial institutions, many may be considered creditors as the regulations apply to any company that provides goods or services without demanding payment at the time of the services. In many, if not most, instances a hospital will register and service a patient before billing for care and being paid for the services rendered. There is therefore reason to believe that many health care providers are creditors subject to the Red Flag Regulations and that they will consequently be required to establish a program to detect, prevent and mitigate identity theft in relation to covered accounts.
Red Flag Rule Requirements
Fortunately, the (FTC) has suspended enforcement of the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions the time necessary to develop and implement written identity theft prevention programs. Each health care provider subject to the Red Flag Regulations will have to establish a comprehensive written identity theft prevention program. The regulations do not describe what, exactly, such a program should entail. But the provider must be able to show that it has established reasonable policies and procedures to detect, prevent and mitigate identity theft in connection with the opening of a covered account, or any existing covered accounts.
The Red Flag Regulations do require that the entity’s governing board, or board committee, must review and approve, as well as help develop, implement and oversee, the identity theft program. Such oversight is to include assigning responsibility for: the program’s implementation and compliance; reviewing reports; training the staff who will implement the program; overseeing service provider arrangements as appropriate; and approving program changes. The entity’s staff are to report at least annually to the entity’s president regarding compliance with the Red Flag Regulations. These reports should include such items as the program’s policies and procedures, service provider arrangements, significant incidences of identity theft and responses consequently taken, and any recommendations for program changes.
In the coming weeks Hinshaw & Culbertson LLP will provide additional information with respect to the Red Flag Regulations and the types of policies and procedures required to be in place by May 1, 2009.
For further information, please contact Roy M. Bossen, Kurt A. Leifheit or your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.
Register Today for the 2008 Health Care Conference
Friday, November 14, 2008
9:00 a.m. to 4:00 p.m.
Hilton Lisle/Naperville
3003 Corporate West Drive
Lisle, Illinois
Now in its fourth year, the conference has a new format with both plenary and breakout sessions. Join senior management, board members and in-house counsel of hospitals and health systems, physician leaders and physician practice administrators as our presenters examine and analyze current issues and strategies affecting the health care industry, including:
Plenary Sessions
Breakout Sessions
Who Should Attend
We are in the process of applying for CLE credit for this conference for attorneys.
There is a $75 non-refundable fee to attend this conference.
To register for this event, please click on Register. A detailed brochure will be mailed mid-September.
For more information, please contact the Conference Planner, Katherine McCormack, at 312-704-3329. |