Healthcare Chronicles: Are You Ready to Comply With the Red Flags Rule?
May 27, 2009
by Daniel Sternthal, J.D. and Diane T. Carter, J.D.
This report originally appeared in the May 2009 issue of DOTmed Business News
By August 1, 2009*, virtually all health care providers (including hospitals and physicians) throughout the United States will be required to comply with new privacy and security requirements to prevent identity theft. These new requirements are referred to as the Identity Theft Red Flags Rule (the "Rule") and it applies to any "Creditor" who maintains "Covered Accounts," as those terms are defined in the Rule.
Applicability of the Rule
The American Medical Association ("AMA") and other associations have recently corresponded with the FTC arguing, among other things, that the agency's interpretation that the Rule applies to physicians is overly broad. At the center of the debate is the definition of the term "Creditor" and whether health care providers fall under such a definition. The Rule defines the term "Creditor" as having the same meaning as in the FCRA, which was derived directly from the definition of "Creditor" in the Equal Credit Opportunity Act ("ECOA"). The ECOA defines the term to include, "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." The term "Credit" is defined in the ECOA as, "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payments therefor."
The FTC maintains that anyone who defers payment for services provided beyond the date of service is a Creditor and a health care provider that bills a patient after having provided medical services clearly fits that definition.
The second key definition of the Rule is "Covered Accounts." A "Covered Account" is defined as (i) an, "account that a ... creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and (ii) any other account that the ... creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."
This report originally appeared in the May 2009 issue of DOTmed Business News
By August 1, 2009*, virtually all health care providers (including hospitals and physicians) throughout the United States will be required to comply with new privacy and security requirements to prevent identity theft. These new requirements are referred to as the Identity Theft Red Flags Rule (the "Rule") and it applies to any "Creditor" who maintains "Covered Accounts," as those terms are defined in the Rule.
Applicability of the Rule
The American Medical Association ("AMA") and other associations have recently corresponded with the FTC arguing, among other things, that the agency's interpretation that the Rule applies to physicians is overly broad. At the center of the debate is the definition of the term "Creditor" and whether health care providers fall under such a definition. The Rule defines the term "Creditor" as having the same meaning as in the FCRA, which was derived directly from the definition of "Creditor" in the Equal Credit Opportunity Act ("ECOA"). The ECOA defines the term to include, "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." The term "Credit" is defined in the ECOA as, "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payments therefor."
The FTC maintains that anyone who defers payment for services provided beyond the date of service is a Creditor and a health care provider that bills a patient after having provided medical services clearly fits that definition.
The second key definition of the Rule is "Covered Accounts." A "Covered Account" is defined as (i) an, "account that a ... creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and (ii) any other account that the ... creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."
1(current)
