{ Banner Image }

New Identity Theft Rules Applicable to Organizations (Including Health Care Providers) That Allow Consumers to Defer Payment for Services

Click to Share Share  |  Twitter Facebook
Johanna M. Novak
Foster Swift Health Care Law Report
October 2008

The Federal Trade Commission ("FTC") issued new rules requiring creditors with certain "covered accounts" to have policies and procedures in place by November 1, 2008, to detect, prevent and mitigate identity theft.  The FTC considers most health care providers to be creditors for purposes of these rules.  The rules can be found at 16 CFR 681.2. 

A creditor is technically defined as "any person who regularly extends, renews, or continues credit."  However, the FTC interprets this to include any organization that allows consumers to defer payment for services already rendered, including but not limited to health care providers, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.  For example, if a health care provider treats a patient and allows that patient to leave the office with an outstanding balance due, even if the balance due will likely be paid by the patient's health insurance carrier, then that provider is a creditor for purposes of these rules.   

A covered account is simply an account used mostly for personal, family, or household purposes, and that involves an extension of credit, such as the purchase of property or services involving a deferred payment.  Accounts maintained by health care providers are accounts for personal, family, or household purposes.  A covered account also includes a credit card account, mortgage loan, automobile loan, cell phone account, or utility account. 

If your organization is a creditor that maintains covered accounts, both defined above, then your organization must implement an identity theft prevention program by November 1, 2008, to detect, prevent, and mitigate identity theft.

Developing an Identity Theft Prevention Program

An identity theft prevention program must include reasonable policies and procedures to:

  1. Identify relevant red flags (or warning signs) for your covered accounts and incorporate those red flags into your program.  Red flags can be identified by analyzing past incidents of identity theft that the organization has experienced.  Red flags can also be identified through alerts or warnings received by local law enforcement, patients, or consumer reporting services.

  2. Detect red flags that have been incorporated into the program.  An organization can detect red flags by obtaining identifying information about, and verifying the identity of, a person opening a covered account.  The organization can also authenticate existing customers as they present for services and verify the validity of change of address requests. 

  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.  Appropriate responses to red flags may include monitoring a covered account for evidence of identity theft, contacting the consumer, changing passwords or security codes that permit access to covered accounts, closing an existing covered account, notifying law enforcement, not attempting to collect a covered account, or determining that no response is warranted under the particular circumstances. 

  4. Ensure that the program is updated periodically to reflect changes in risks to consumers.  Your organization should update the program based on your own experiences with identity theft and any changes in methods of identity theft.

You must have either your organization's board of directors, a committee of the board, or an employee in senior management assist in the oversight and development of your program.  Your organization's board of directors (or an appropriate committee of the board of directors) must approve the program.  You must train your staff as necessary to effectively implement the program.

You may utilize existing policies and procedures to accomplish the above goals.  For example, health care providers implemented HIPAA privacy and security policies several years ago.  These existing policies may already accomplish certain elements of an identity theft program, such as verifying the identity of patients.

If you would like our law firm's assistance in developing the policies and procedures necessary to implement an identity theft program, please contact Attorney Johanna Novak at (517) 371-8231.