Red Flags Rule
Brief description of Red Flags Rule
In November 2007, the Federal Trade Commission (FTC) issued a set of regulations, collectively known as the "Red Flags Rule," requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. The Red Flags Rule was intended to ensure that banks, credit card companies and certain retailers protect consumer financial information. Unfortunately, the FTC took the position that the Red Flags Rule would apply to physician practices. The American Medical Association (AMA) strongly opposed the FTC’s position.
Although the AMA, in conversations with the FTC, succeeded in delaying the application of the Red Flags Rule to physicians five separate times and urged the FTC to reconsider, the FTC did not change its position. Consequently, the Litigation Center of the AMA and the State Medical Societies filed a lawsuit seeking to clarify that the Red Flags Rule did not apply to physicians.
At the same time, the AMA urged Congress to pass legislation specifically excluding physicians from the Red Flags Rule. The AMA achieved a significant victory in December 2010, when President Obama signed into law the Red Flag Program Clarification Act of 2010, which limits the type of "creditor" that must comply with the Red Flags Rule. The Congressional Record further reflects the bipartisan intent of the bill’s sponsors that physicians, lawyers, dentists, and other professionals should no longer be classified as "creditors" for the purposes of the Red Flags Rule just because they do not receive payment in full at the time that they provide their services.
The Red Flag Program Clarification Act indicates that creditors who fall under the Red Flags Rule are only those who regularly and in the ordinary course of business:
- obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
- furnish information to certain consumer reporting agencies in connection with a credit transaction; or
- advance funds to, or on behalf of, a person based on the person's obligation to repay the funds, or on repayment from specific property pledged by them or on their behalf. (This does not include creditors who advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.)
Not billing or receiving payment in full at the time a physician provides services will not result in the physician being considered a creditor under the Red Flags Rule. Because of the Red Flag Program Clarification Act, the Litigation Center was able to drop its lawsuit; the clarification sought by the litigation was no longer necessary.
Although the Red Flags Rule does not apply to most physician practices, the AMA believes that it is prudent for all physician practices to have patient identity prevention programs in place. To this end, the AMA has developed Red Flags Rule educational resources.
These resources include a sample practice policy that will greatly aid those physicians who may want to implement some, or all, of the Red Flags Rule requirements in order to proactively address identity theft issues or otherwise incorporate a simple identity theft prevention and detection program into their existing compliance and Health Insurance Portability and Accountability Act (HIPAA) security and privacy policies.
Red Flags Rule guidance document
This informative resource addresses the following questions:
- What is the purpose of the Red Flags Rule?
- How do the rules differ from HIPAA Privacy and Security Rules?
- Who has to comply with the Red Flags Rule?
- What is a "Red Flag?"
- How can physician practices comply with the Red Flags Rules?
This resource includes simple, customizable policies and procedures to incorporate into your practice, in order to comply with the requirements of the Red Flags Rule that entities have reasonable policies and procedures in place to identify, detect and respond to Red Flags. Also included in this policy is the FTC's Identity Theft Affidavit , which can be used by patients who may be victims of identity theft.
AMA members can access the Word version of the Sample policy and adapt it to their individual practice.
The FTC provides a list of frequently asked questions about the Red Flags Rule, entitled, "Fight Fraud with the Red Flags Rule: A How-To Guide for Businesses."