Q&A: Fighting identity theft

January 9, 2009

Do the FTC's "red flags" rules apply to physician practices?

Q: Federal regulations are requiring creditors to have in place an identity theft prevention program by May 1, 2009, under the Federal Trade Commission's "Red Flags Rules." Since physician offices often extend credit through payment plans to patients who cannot afford to pay their bills in one lump sum, are they considered creditors under this regulation? Is compliance with the Health Insurance Portability and Accountability Act sufficient to cover this?

A: Because doctors' offices allow patients to defer payments, they are considered creditors and are subject to this rule. The final rules require each financial institution or creditor that holds a consumer account (or other account for which there is a foreseeable risk of identity theft) to develop and implement a written prevention program for combating identity theft. The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. Additionally, the program must enable a financial institution or creditor to identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the program, respond appropriately to any red flags that are detected, and ensure the program is updated periodically to reflect changes in risks from identity theft. This does not fall under HIPAA regulations, but you may be able to leverage some HIPAA-related procedures you already have in place.