FTC Set to Begin Enforcing Identity Theft Prevention Regulations on August 1, 2009

Entities subject to the Federal Trade Commission’s (FTC) Red Flags Rule promulgated under the Fair and Accurate Credit Transactions (FACT) Act of 2003—including many health care providers—must develop and implement written policies to detect, prevent and mitigate identity theft by August 1, 2009. The FTC issued final Red Flags regulations in conjunction with other agencies in November 2007, but delayed implementation several times. The current deadline comes at a time of increased FTC activity in the privacy and security sphere. Notably, the FTC recently issued proposed regulations concerning breach notification requirements applicable to personal health records and, also, settled charges against retail pharmacy chain CVS Caremark for allegedly failing to take reasonable and appropriate security measures to protect sensitive customer and employee financial and medical information.

A successful Identity Theft Prevention Program developed in response to the FTC Red Flags Rule will build on existing efforts to combat fraud and protect patients. Covered health care providers can build on existing practices and pathways to create a Red Flags Program. For many entities, efforts undertaken to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations may serve as a good springboard for Red Flags Rule compliance activities.


Notwithstanding the efforts of the American Medical Association to sway the agency, the FTC has clearly indicated that the Red Flags Rule applies in the health care setting. The Red Flags Rule applies to all “creditors” who offer or maintain one or more “covered accounts.” Relevant law defines “creditor” as any entity that regularly defers payments for goods or services, or arranges for the extension of credit. The FTC considers health care providers who bill patients after rendering medical care or who balance-bill patients for medical fees not covered by insurance to be creditors covered by the Red Flags Rule. “Covered accounts” include accounts on which creditors allow multiple payments, including patient billing accounts, and any accounts for which there is a “reasonably foreseeable risk” of identity theft to customers or the creditor, such as patient records.

Under the Red Flags Rule, a covered health care provider must develop and implement a written Identity Theft Prevention Program that enables the provider to detect, prevent and mitigate identity theft. In general, a Red Flags Program must be appropriate given the size and complexity of the institution and the scope of its activities. Entities subject to the Red Flags Rule that fail to comply with its requirements may face civil monetary penalties, as well as potentially costly long-term consent agreements.


The Red Flags Rule outlines four elements that each written Identity Theft Prevention Program must contain and also includes several requirements concerning how each Program must be administered. In addition, Guidelines appended to the Red Flags Rule provide additional insights for designing and implementing a Program. While covered health care providers must consider the Guidelines in designing Red Flags Programs, they are not required to incorporate any specific suggestions.

Components of a Red Flags Program

  • Red Flag Identification. A Red Flags Program must include reasonable policies and procedures to identify Red Flags (i.e., patterns, practices or specific activities that indicate the possible existence of identity theft). The Guidelines provide many suggestions for flags that may be relevant to a given entity’s operations. Many health care providers may find that Red Flags fall into three general categories: patient-raised concerns (e.g., patient reports receiving a bill for a service that he or she did not receive), internally raised concerns (e.g., provider finds that a patient’s history or physical examination is inconsistent with the patient’s record of medical treatment) and externally raised concerns (e.g., provider receives notice of suspected identity theft situation from law enforcement officials).
  • Red Flag Detection. The Program must contain reasonable policies and procedures to detect Red Flags. Covered health care providers will need to be able to detect Red Flags at the time new patient accounts are established, as well as flag problems affecting existing patient accounts. Ongoing detection efforts may involve routine patient identity authentication, procedures for verifying change of address requests and periodic staff surveys to determine whether any patients have presented suspicious documentation or have reported any unusual activity on their accounts.
  • Red Flag Response. The Program must include reasonable policies and procedures to prevent and mitigate identity theft by responding to detected Red Flags. For example, covered health care providers may find that appropriate responses to a trigger may include monitoring a patient’s account and medical records for evidence of identity theft, contacting the affected patient to investigate the matter or notifying law enforcement officials.
  • Program Update. The Program must contain reasonable policies and procedures to ensure that it is updated periodically to reflect changes in risks to patients from identity theft. This will typically involve reassessing the health care provider’s list of Red Flags, learning from any experiences with identity theft, reevaluating methods for detecting triggers, and updating staff training materials, among other activities.

Highlights of Red Flags Program Administration Requirements

  • Leadership Role. The FTC envisions that an entity’s board of directors (or other leaders) will play an ongoing role in Red Flags Rule compliance efforts. For example, each covered health care provider must secure approval of its initial written Program from its board of directors (or an appropriate board committee). In a similar vein, the Guidelines recommend, among other steps, that health care providers present an annual report to the board (or other designated senior management officials) on Red Flags compliance issues.
  • Training. Covered health care providers must train relevant staff to implement the Program effectively, as necessary. Many covered health care providers may find that individuals working in admissions, billing, legal and information technology departments, for example, may need to be trained. In many cases, training modules developed for HIPAA compliance purposes may be modified for use in connection with Red Flags Rule compliance efforts.
  • Service Provider Oversight. Covered health care providers must exercise appropriate and effective oversight of service provider arrangements. The Guidelines expand upon this concept, suggesting that entities ensure that any service providers engaged to perform activities in connection with one or more covered accounts implement reasonable policies and procedures to detect, prevent and mitigate identity theft. Many covered health care providers may find that HIPAA compliance mechanisms, such as lists of entities with which they have entered into business associate agreements, provide a good starting point for service provider oversight efforts.


Identity theft is a growing problem in the health care industry. The FTC reports that roughly 5 percent of all identity theft victims have experienced medical identity theft, which occurs when someone falsely uses another person’s name or insurance information to obtain medical services or products. Recently, cases involving thefts of laptops containing patient records and the unauthorized access of patient health information by facility employees have garnered national media attention. Medical identity theft creates financial and administrative problems for health care providers and may dangerously complicate patient care.

A Red Flags Program that is a natural outgrowth of existing policies and procedures can be an effective tool for combating identity theft in the health care setting. Moreover, such a Program can be readily incorporated into an organization’s overall corporate compliance program in a relevant and appropriate manner, which will enable it to benefit from the centralized focus, resources and initiatives that characterize comprehensive compliance programs.



If you have any questions regarding this alert, the Red Flags Rule or laws concerning the privacy and security of health information more generally, please contact—

Jorge Lopez, Jr. jlopez@akingump.com 202.887.4128 Washington, D.C.
Jo-Ellyn Sakowitz Klein jsklein@akingump.com 202.887.4220 Washington, D.C.
Gary Thompson gthompson@akingump.com 202.887.4118 Washington, D.C.
Anna R. Dolinsky adolinsky@akingump.com 202.887.4504 Washington, D.C.