Red Flag Rules
As a part of the Fair Credit Reporting Act of 2003, the Federal Trade Commission (FTC) and other regulatory agencies have issued joint regulations regarding the detection, prevention, and mitigation of identity theft. The joint regulations, commonly referred to as the Red Flag Rules, broadly apply to financial institutions, creditors, and many health care providers. The enforcement date of these standards has been delayed numerous times, and is currently set for December 31, 2010.
Although banks, financial institutions, and debit and credit card companies are most affected by the Red Flag Rules, some of the obligations apply to other entities that are considered creditors, including many health care providers, non-profit organizations, and even government entities. Essentially, by establishing an account that permits a patient to make multiple payments, a health care provider is considered a “creditor” maintaining “covered accounts,” and thus subject to certain provisions of the Red Flag Rules. Such health care providers are required to implement a written medical identity theft program.
Resources
AMA Red Flags Rule Resources (ama-assn.org)
AMA identity theft prevention and detection and Red Flags Rule compliance: Sample policy (ama-assn.org PDF)
American Hospital Association Red Flags Rule Resources (aha.org)