Identity Theft Red Flags for Medical Providers

The US Federal Trade Commission (FTC) and associated financial regulators in the United States have been working on the Red Flags rule for identity theft for over six years since they were first enacted as a part of FACTA in 2003. On April 30, 2009, they delayed for a second time (until August 1, 2009 now) enforcement of the new rules which were designed to prevent the rapidly increasing incidence of identity theft in this country.  Virtually all banks and most other financial institutions are covered by the new rules, but in a bold new foray that increases the scope of FTC activities, nonfinancial creditors are also covered.

Much has been said about Red Flags and the need for enforcement of them to avoid financial identity theft.  However, in a little noted expansion of its authority, the FTC mentioned medical identity theft in the Red Flags regulations and now

has moved to add medical identity theft as a major new enforcement thrust using the HITECH part of the American Recovery and Reinvestment Act of 2009 (ARRA) as a new platform.   It was medical providers and their lobbyists and attorneys who complained among the loudest over the potential extension of Red Flags rules to health providers. Complaints centered around the apparent double regulation of health care providers when insurance contracts and HIPAA rules already require due care in protecting patient record privacy.  However, the FTC has asserted that new rules are needed to stem the growing tide of medical identity theft and, together with the US Dept. of Health and Human Services, has proposed that it be given the authority to enforce breach notification rules against medical providers.  So, while you may be used to getting letters from your financial providers about privacy breaches pertinent to your credit card or personal financial data, you may soon be getting them about breaches of your medical and pharmaceutical records, courtesy of the FTC.

In an interesting twist, the FTC has already successfully asserted the authority to oversee the privacy of personal health information (PHI) using its already enacted power to investigate deceptive practices. So, if a doctor’s office posts a sign that says “we take privacy seriously and we protect your personal health information” and that doctor’s office later experiences a loss or theft of health information, the Federal Trade Commission has the right to investigate and sanction the doctor’s office.  This theory was used to levy fines against the CVS pharmacy when it was revealed that personal health information could be accessed using a simple dumpster diving attack on pharmacy trash cans.

But to really get serious traction in their ability to enforce privacy protections on healthcare providers, the Federal Trade Commission will need to have statutory authority to regulate notification of patients when their records are found to have been breached — or may have been breached — due to the failure of the healthcare providers privacy controls.  So on April 16th this year, the FTC proposed new rules that affect healthcare providers.

This could be bad news for medical and dental practices all over the country.  In addition, their “business associates” — the businesses that do so much processing of administrative and financial information for medical and dental practices — are also suddenly going to be in the limelight. The FTC has made it clear that they intend to hold covered entities — those who hold private medical and financial data — to a “walk the talk” standard. This means that they will be looking for evidence and a demonstration of processes that conform to best practices in the handling of private information.  As with Red Flags, an investigation could involve sampling of transactions as well as examination of logs, a review of a formal Identity Theft Protection Plan, and reviews of specific controls effectiveness.

Doctors and dentists will be able to avoid the most burdensome of the Red Flags rules if they in no way offer credit — that is deferred payment for services — to their patients. However, many medical and dentistry practices depend on the ability to offer deferred payment to their patients for elective procedures, procedures that are not covered in their entirety by insurance, or when co-pays or deductibles enter into the equation. If a medical provider has none of these situations then they probably are not covered by the Red Flags requirements including the requirement to develop a formal identity theft prevention plan. However, if doctors claim to protect patient identities and hold themselves out as adhering to the highest standards of security around the protection of patient records, then — totally apart from Red Flags coverage — they may be exposed to enforcement from the FTC based on violations of deceptive practices rules.

Bottom line, doctors and dentists have a duty to know that the person being treated is the person they claim to be with a name, address, birth date, and Social Security Number that matches the insurance identity card presented.  Diagnostics testing businesses similarly have a duty to confirm identity.  These businesses also have a duty to protect any private health or financial information they hold, as well as to follow-up on suspected identity theft Red Flags.  Today, if any sort of deferred payment is involved, Red Flags comes into play.  Even if no deferred payment – and thus no report of bad credit could be made a to a credit bureau – a medical provider still faces FTC enforcement and deceptive practices complaints if it promises to keep patient records private and later loses them.  And now, if the proposed new regulations are approved, medical providers will be held to a new standard of privacy protection and breach notification even if no credit or payment issues are at stake.

Related posts:

1. ‘Red Flag’ Requirements for Financial Institutions and Creditors
2. Are the 26 Red Flags a Rx for Compliance?
3. HITECH Privacy Provisions in ARRA
4. FTC Red Flags Primer (Screen Cast)
5. 201 CMR 17 in Plain English