Doctors must prepare now for new identity theft rules

Under new federal “red flag” rules, health care entities and physicians will be required to implement procedures for preventing, detecting and responding to identity theft, according to attorneys.

Until recently, many entities, including health care providers, thought the red flag rules only applied to traditional financial institutions, such as banks.

“Many in the health care industry were taken by surprise and are saying ‘Wow, they actually mean us,’” said Brent Eller, a partner in the health law practice group at Davis Wright & Tremaine in Seattle.

But the new rules also apply to “creditors” – a term that the Federal Trade Commission has interpreted broadly to include any entity that regularly extends credit or accepts deferred payment for services.

“The definition of creditor is enormous,” said Pamela Devata, a management attorney at Seyfarth Shaw in Chicago.

The American Medical Association has written a letter to the chairman of the Federal Trade Commission, arguing that physicians shouldn’t be covered by the rules.

The Federal Trade Commission extended the deadline for compliance from Nov. 1, 2008 to May 1, 2009.

Lawyers are advising health care providers not to wait for an answer from the FTC and to start implementing red flag procedures now.

“The safest course of action is to assume for now that the red flag rules will apply to most health care providers, regardless of their size, unless they require payment in full at the time of service,” said Eller.

Martie Ross, a partner and health care attorney at Lathrop & Gage in Kansas City, Mo. agreed.

“I would not operate on the assumption these rules are going away,” said Ross. “I would operate on the assumption that you’ve got six months to get your house in order.”

The deadline extension is limited to the red flag rules for financial institutions and creditors.

Starting Nov. 1, users of consumer reports, including for extension of credit or employment purposes, have been required to comply with new rules for responding to an address change or discrepancy.

Overlap with HIPAA

The rules, which require implementation of policies to find and respond to “red flags” of identity theft, can be found on the FTC’s website at www.ftc.gov.

The rules have substantial overlap with security rules under the Health Insurance Portability and Accountability Act (HIPAA) that most providers have already implemented to address improper access to patient information

This should help reduce the burden on providers, said Eller.

“As a result, the red flag rules represent an opportunity to go back to some of these policies and procedures and ask, ‘Are these measures we’re taking doing enough to secure information against identity theft in addition to just improper access?’” said Veronica Marsich, a shareholder at Smith Haughey Rice & Roegge in Ann Arbor, Mich.

Some examples of “red flags” include suspicious information supplied by a patient, such as inconsistent Social Security numbers or other mismatched personal information.

The policy must include “appropriate responses” to prevent and mitigate identity theft once a red flag is found, such as a clear chain of communication for notifying a risk manager or other compliance officer.

The regulations also require that the policy be approved by the entity’s board of directors and updated every year.

Another requirement is that covered entities train employees on the written policies.

“This is not a trivial process,” said Eller. “In addition to setting up a written program, another element is training staff so they know what to do when a red flag pops up.”

The regulations provide for civil penalties, such as monetary sanctions and enforcement action by the FTC.

New standard of care?

Some lawyers predict that the new rules will become the standard of care in litigation involving identity theft.

“As the red flag rules become more prevalent and companies adopt them, that will become the standard for what a reasonable company does,” said Jack Gravelle, an attorney with Porter Wright in Columbus, Ohio.

“If identity theft occurs, a plaintiff’s attorney may well use the lack of a red flag program against the provider, contending that the provider was negligent in failing to implement the safeguards such a program would have provided,” said Eller.

Eller noted that additional guidance is expected from the FTC in the next several weeks that lawyers hope will further clarify the rules.

HELPFUL RESOURCES:

Providers can start to look for sample policies, seminars and other support

from professional associations.

• The World Privacy Forum has published suggestions for health care providers

on the red flag rules and the earlier address discrepancy requirements, which

you can find at www.worldprivacyforum.org.

• The American Health Lawyers Association sells a LexisNexis product containing

analysis and tools on red flag compliance, geared toward health care attorneys.

Their website is www.healthlawyers.org.

Questions or comments should be directed to the
writer at: sylvia.hsieh@lawyersusaonline.com