Article Summary:  The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.

On November 17, 2007, the Federal Trade Commission (FTC) published its final Red Flags Rule requiring the development and implementation of policies and procedures to flag or identify potential identity theft.  [See Note 1 below]  In sum, the Red Flags Rule applies to a person or entity who is a “creditor” and who offers or maintains “covered accounts.”  On October 1, 2008, a lawyer for the FTC stated in a national teleconference sponsored by the American Health Lawyers Association, that any health care provider who does not require payment in full at the time services are rendered is a “creditor.”  The FTC’s guidance to health care providers says, “[Y]ou are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.” 

The predominant practice in the health care profession is to require payment of the co-pay, file the claim with the patient’s insurance, receive the explanation of benefits (EOB) from the insurer regarding any remaining responsibility of the patient due to deductibles and co-insurance obligations, and then bill the patient for the remainder.  The result:  Essentially, every health care provider who participates in the Medicare program or files insurance claims on behalf of patients is a “creditor.” 

So what does being a “creditor” mean?  A person or entity who is a “creditor” under the Red Flags Rule is required to implement policies and procedures to protect against identify theft, but only as to “covered accounts.”  The definition of a “covered account” is a two part definition. The first part refers to “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.” The second part of the definition refers to “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” It’s the second part of this definition which has the broadest application because it includes an account for which there is a “reasonably foreseeable risk” regarding its safety or soundness.  The FTC’s guidance to health care providers advises, “The accounts you open and maintain for your patients are generally ‘covered accounts’ under the law.”

When the FTC took the position that the Red Flags Rule applied to health care providers, debate on this issue ensued, particularly between the FTC and the American Medical Association (AMA). This debate is ongoing. In the meantime, in order to give health care providers more time to design a Red Flags Rule policy and procedure appropriate to the provider, the FTC has delayed enforcement of the Red Flags Rule until November 1, 2009, the third delay the FTC has issued. 

At first blush, and even upon second and third blush, the Red Flags Rule appears principally directed at “creditor” identity theft. Even the Frequently Asked Questions (FAQs) that the FTC released on June 11, 2009, appear entirely focused on traditional forms of credit such as one would obtain in the banking, savings and loan industry and other types of consumer loan situations such as auto financing. [See Note 2 below.] There is no mention of situations involving health care providers in the FAQs.

The FTC did not receive or specifically solicit input from health care providers before issuance of the Red Flags Rule in November 2007. So, what consideration was given to the fact that nearly all health care providers would be “creditors” or that health care providers already are governed by a more extensive privacy and security rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? And, surely, at the time the Red Flags Rule was being considered, no one anticipated that the American Recovery and Reinvestment Act of 2009 (ARRA) would be passed and would include beefed up standards for the security of medical information, the end result of which should help protect against medical identity theft. 

There is only one inference to health care in the Red Flags Rule and it is not related to the theft of one’s health care identity to obtain credit but rather is related to the theft of one’s identity to obtain medical services. The Red Flags Rule states: 

When identifying Red Flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject. For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and, therefore, must identify Red Flags that reflect this risk. 

So, suddenly, in the middle of the Rule, the FTC shifts gears from the issue of credit theft to address a situation that almost certainly is the focus of health care reform today, i.e., the use of someone else’s identity in order to obtain medical services. No doubt such fraud may be taking place with the permission of the person whose identity is being used to obtain the services.  It’s also taking place in vast numbers by those who have stolen a person’s identity without their permission. [See Note 3 below.] Why?  No health insurance.  Is this not why we are talking about health care reform in the first place? 

To be fair here, the FTC did receive comments on the Red Flags Rule from the World Privacy Forum, which implored the FTC to expand the Rule to specifically address “medical identity theft.” The World Privacy Forum had identified medical identity theft as an issue and seized on what it saw as a perfect opportunity to address the problem.  The World Privacy Forum  pointed out that the Red Flags Rule did not sufficiently identity health care providers, stating that the extent to which health care providers are aware of their status as “creditors” under the rule was debatable. Interestingly, the World Privacy Forum also pointed out that “even lawyers reading the rule may not easily reach the conclusion that health care providers can be covered.”  The FTC, however, declined to more  specifically address health care providers as creditors or address medical identity theft to the extent desired by the World Privacy Forum.  Instead, the FTC only gave lip service to the concept with the one reference above-quoted.  

If the intent of the FTC was to protect against “medical” identity theft, then why not specifically address health care providers in the Rule? Perhaps the FTC did question whether this territory was better left up to the United States Department of Health & Human Services, while wanting to somewhat address the legitimate that the World Privacy Forum had raised. Considering that medical identity theft may be the fallout from America’s health insurance crisis, perhaps the issue is better addressed within the impending health care reform. Also to be considered are the burdens to both the taxpayers and the health care providers to have a separate federal agency besides HHS monitoring a problem that really should be within the scope of authority of HHS.  Finally, one must consider whether the FTC is reaching beyond the intent of the original law under which the Red Flags Rules were promulgated, the Fair Credit Reporting Act (FCRA).  [See Note 4 below.]  Because health care reform and health information technology already are the domain of HHS, it would seem to make more sense to keep it within the domain of HHS.

In light of the massive HIT implementation envisioned under the HITECH Act, there is no question that stronger medical identity protections will be needed. Everyone will want such protection no matter what industry they are in. The HITECH Act clearly intended to enhance the security measures that must be implemented to secure protected health information. And, HHS has issued proposed regulations respecting how unsecured data must be further secured. Health information technology is not the answer to all the problems but this is a critical year is which much work on HIT is to be done. For example, as more and more providers implement electronic health records, I would expect that the certification standards for HIT likely will include ways in which health care providers and insurers will be able to quickly determine who is accessing each record, for what purpose, at what location and how to conduct audits for such access.  The expansion of health information technology likely will impact the identification of appropriate red flags.  In fact, in the Report prepared by Booz Hamilton Allen for the Office of National Coordinator of Health Information Technology, the Report identified health information technology as providing a rich opportunity to provide additional identity theft identification tools. [See Note 5 below.]

In sum, this author is not questioning the fact that medical identity theft is indeed a problem and must be addressed.  However, addressing the issue should be done in a framework focused on “medical” identity rather than “credit” identity theft. Further, health care providers who had no meaningful opportunity to comment on the Red Flags Rule, need to give their considered input based on their experiences and based on current technology to help protect against such theft.   We should ensure adequate coordination to protect against medical identity theft occurs among the following: a) the further development of regulatory requirements related to securing health care information; b) the ongoing development of health information technology standards under the HITECH Act, and c) the impact that health care reform for the uninsured might have on the further development of monitoring for medical identity theft. 

In fact, the medical identity theft problem simply may be more suitably addressed within the context of health care reform, especially considering the reasons for such theft.  All in all, the more prudent course at this time may be to delay the enforcement of the Red Flags Rule as to health care providers until after 2010. This would give some much needed breathing room for health care providers, already straining under the current financial crisis, as well as allow more time to consider how to best address medical identity theft within the context of the current landmark reforms in both health information technology and health care.  With the impending explosive expansion in HIT over the next few years, a more deliberate approach is now needed towards protecting the most important information affecting our life, health and possibly even our very existence. 

*****************************************************************************************************************************************

Note 1: “Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003,” 16 C.F.R. Part 681, Final Rule published at 72 Fed. Reg. 63718 (Nov. 17, 2007). Click here to access the Rule.

Note 2:  On June 11, 2009, the FTC posted a list of Frequently Asked Questions (FAQs) concerning the application of the Red Flag Rules. Interestingly, not a single FAQ addresses the application or implementation of the Red Flag Rules within the context of a healthcare provider. Click here to access the FAQs.

Note 3:  The Office of National Coordinator for Health Information Technology (ONC) contracted with Booz Allen Hamiltonto conduct a report on medical identity theft.  ONC’s purpose was to better understand the scope of the medical identity theft and how health information technology might play a role in preventing, detecting and remediation of the problem. Prevention, detection and remediation are the three goals that a “creditor” must seek to achieve in implementing an identity theft policy. The Report states that “most of the leading experts who participated in the [October 15, 2008] Town Hall [on medical identity theft] agreed that, if implemented and executed properly, health IT and health information exchange could be used to prevent, detect, and help with correction of medical identity theft in a manner that has not been previously available. Overall, health IT would provide opportunities for greater communication channels, more standardized approaches to managing risk, and increased data security.”  Click here to access the Report.

Note 4:  The Identity Theft Red Flags and Address Discrepancies implement section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), 15 U.S.C. § 1681m, and section 315 of the FACT Act, 15 U.S.C. § 1681c, which amended the Fair Credit Reporting Act (FCRA).

Note 5:  The Report observed: “Using technology to recognize inconsistencies in services requested and delivered, for example, can be used to detect fraudulent use of individuals’ identities. Systems could review transactional records and detect such anomalies as the appearance of treatments for chronic conditions not previously diagnosed; increases in prescriptions that may indicate drug-seeking behavior; or attempts to receive care at multiple locations, all remote from the individuals’ residences. These types of alerts would allow for further investigation to ensure that the consumer receives the appropriate care, and inconsistencies can be identified and handled appropriately.”