After an earlier delay, the Federal Trade Commission (FTC) has pushed back the date for enforcement of new identity theft protection rules until November 1, 2009.
The FTC promulgated what are called the “Red Flag Rules,” which require creditors to develop and implement a written identity theft prevention program as part of the Fair and Accurate Credit Transactions Act of 2003. At a minimum, compliance with the Rules requires the following measures: a written program; approval by the board of directors; oversight by the board, board committee, or a senior manager; staff training; and periodic review and updating as necessary. There is no specific program that all covered entities must adopt, and the Rules are somewhat flexible depending on the type and size of the entity. Facilities have the opportunity to design and implement a program that is appropriate for their size and complexity, as well as the nature of their operations.
The complexity of the Rules becomes evident when you look into the details.
The Rules apply to financial institutions and creditors with “covered accounts.” A creditor is defined under the Rules as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit.” Credit is defined as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.” Thus, if your facility regularly defers payment for its medical services, then you would be considered a creditor under the Rules.
Unfortunately, the FTC did not define the term “regularly.” However, the agency has interpreted the term to mean a regularly occurring business practice. Therefore, all health care facilities are creditors if they, as a regular business practice, do not require all patients to pay for medical services at the time that the services are provided. If a facility generally allows patients to defer payment or enter into payment plans when bills are outstanding, the facility falls under the definition of “regularly” extending credit based on this practice. The FTC notes that when non-profit and government entities defer payment for goods or services, they are to be considered creditors.
Furthermore, it has been suggested that the definition of “creditor” would apply to any health care provider that provides services without demanding payment at the time services are rendered. The FTC’s commentary seems to support this interpretation. The FTC indicated in its commentary that telephone companies and utilities are considered “creditors” under the Rules because they provide telephone or power services now, and send a bill later. The FTC’s position appears to be that the use of invoices and delayed payment after the resident receives medical care creates a creditor relationship under the Red Flag Rules. Finally, an Enforcement Policy issued by the FTC on October 22, 2008, states that “any person that provides a product or service for which the consumer pays after delivery is a creditor.”
As stated earlier, the Rules apply to creditors with “covered accounts.” Covered accounts may appear in two forms. A covered account means an account offered or maintained by a creditor, primarily for personal, family, or household purposes, that either: (a) involves or is designated to permit multiple payments or transactions; or (b) is an account in which there is a reasonably foreseeable risk to customers or the creditor of identity theft.
An account for medical services is primarily for personal, family, or household purposes. The FTC provided several examples of accounts that permit multiple payments or transactions which include: a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account. In a health care setting, patients (or the insurer) typically make payment on a later date after the provision of services and, in some cases, are permitted to establish payments plans over a set period of time. Based on the language of the definition and the FTC’s interpretations, such accounts are considered covered because they involve multiple payments to be made on the accounts after services are rendered.« Back to news