Management of Pathology Practices

May 2009

Management Home Page


FTC "Red Flags" Rule Compliance

By John R. Outlaw, PSA, LLC


The Federal Trade Commission has announced that the enforcement of the new “Red Flags Rule” will be delayed until August 1, 2009, to give creditors and financial institutions, who have low risk of identity theft, more time to develop and implement written identity theft prevention programs.



In November 2007, the Federal Trade Commission (FTC) finalized a set of new regulations designed to carry out certain aspects of the Fair and Accurate Credit Transactions (FACT) Act of 2003 to provide for the identification, detection, prevention and mitigation of identity theft.  These regulations, known as the "Red Flags" rule, required creditors to develop and implement Identity Theft Prevention Programs by November 1, 2008.  However, to the surprise of most in the healthcare community, the FTC interpreted the definition of a "creditor" to include healthcare providers - arguing that by not demanding payment in full at the time of service, healthcare providers have by definition extended "credit" to their patients. In spite of pointed objections and efforts by the American Medical Association, the College of American Pathologists (CAP) and many other medical associations, societies and healthcare-related political action groups to have healthcare providers exempted from the rules, the FTC persisted with its interpretation - ultimately agreeing only to delay the enforcement date of the rules until May 1, 2009.  In the months since, these organizations have continued their efforts, but to no avail.



The rules define a "red flag" as any "pattern, practice or specific activity that indicates the possible existence of identity theft".  The FTC identified 23 potential red flags associated with 5 specific categories of warning signs that all "creditors" must consider as part of their Identity Theft Prevention Program. These include:


▪ Alerts, notifications, and warnings from a consumer reporting company

▪ Suspicious documents (e.g., altered, forged or otherwise inauthentic)

▪ Suspicious personal identifying information (e.g. any inconsistency between identifying information provided and that which is already on file)

▪ Unusual use of or otherwise suspicious account activity

▪ Notification from other sources (the victim, law enforcement, etc.)         



"Creditors" are required to implement an Identity Theft Prevention Program with reasonable policies and procedures which provide for:


▪ the identification of these "red flags" (i.e., suspicious patterns, practice or activities as referenced above, including those specifically identified by the FTC, and any others identified by the creditor) that may indicate possible identity theft;

▪ the detection of "red flags" when they occur;

▪ the appropriate response when "red flags" are detected in order to prevent and mitigate identity theft; and 

▪ a mechanism to ensure that the program’s policies and procedures are periodically updated to reflect changes in identity theft risks.



Healthcare providers who have already implemented policies and procedures designed to protect the privacy and security of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 are already way ahead of the curve.  Most of the individually identifiable information subject to risk for identity theft as contemplated by the Red Flags rule is already defined as PHI under HIPAA, so the protocols already in place to protect and secure PHI will likely serve to provide the same protection against identity theft as well.  That said, the risks associated with identity theft are much greater and providers should review existing controls in light of the increased risk in order to determine whether additional measure may be necessary.  Also, while many of the necessary controls may already be in place and can be referenced as a part of the provider's Identity Theft Prevention Program, it is important to note that the law requires the Identity Theft Prevention Program to be separately conceived, written and administered.           



All healthcare providers who do not demand payment in full at the time of service satisfy the FTC's definition of a creditor, and therefore all are required to have an Identity Theft Prevention Program; however, the nature and extent of the program is "scalable" - that is, it must be tailored to the provider's specific circumstances. In laboratories and hospital-based settings, the exposure is somewhat limited relative to many other healthcare providers, as many of the larger risks are borne by other entities.  For example, laboratories and hospital-based practices generally do not have face-to-face contact with the patients, so responsibility for positive identification of the patient and collection of the patient's demographic and insurance information is done by the referral sources; and hospital-based practices may also benefit by piggy-backing on many of the safeguards implemented by the hospitals to ensure their own compliance.  Also, to the extent that billing and collection services are outsourced to third parties, laboratories and hospital-based practices are also not generally involved in handling payments on their patient's accounts, which further limits these providers direct risks in this high exposure area as well.



Although the scope of the Identity Theft Prevention Programs implemented by laboratories and hospital-based practices may be somewhat limited based on their lack of direct involvement in some of the higher risk activities, as "creditors" they are nonetheless accountable for the actions of the "service providers" with whom they contract to administer their covered accounts.  To that end, providers should amend existing service agreements with those entitlements to require compliance with the FTC's Red Flags rules.



 In order to comply with the "Red Flags" rule, the following measures must be taken to provide for the necessary administration of the Program:


▪ Create an initial Identity Theft Prevention Program and have it formally approved by the Board or other equivalent governing body effective May 1, 2009

▪ Have the Board officially assign a member of the senior management team with responsibility for carrying out the implementation of the Program and provide for its ongoing development, administration and oversight - including periodic updates and annual reports to the Board on the Program’s effectiveness

▪ Provide training to all staff on the risks of identity theft and the elements of the Program designed to identify, detect and respond to those risks

▪ Exercise appropriate oversight of "service providers" (e.g., billing companies, consultants and other contractors involved in handling covered accounts) by requiring compliance with the Red Flags rule     



Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007


Fighting Fraud with the Red Flags Rule - A How-To Guide for Business, FTC


The "Red Flags" Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft, Steven Toporoff


Protect Your Patients, Protect Your Practice: What You Need to Know About the Red Flags Rule, AMA 


AMA Identity Theft Prevention and Detection and Red Flags Rule Compliance: Sample Policy, AMA


PSA provides billing, coding, marketing, and business support services to pathologists nationwide.  For more information on PSA please visit