Ungaretti & Harris LLP
About U&HServicesProfessionalsNews/Publications/EventsCareers
print this page /

Search
Go

Practice Groups:

Related Attorneys:

Related Files:

Find Out More:

Publications: Red Flags Rules

Healthcare Update
03/24/09
By: Steven F. Banghart

Pursuant to an action of the Federal Trade Commission, the deadline for implementation of a written identity theft prevention program has been extended to November 1, 2009.

Health care providers, including hospitals and physician groups, should know that they may be subject to the Red Flag Rules. The Red Flag Rules are new federal regulations issued by the Federal Trade Commission that require certain entities to develop and implement a written identity theft prevention program. If you are a covered entity under the Red Flag Rules, you must have such a program in place as of May 1, 2009.

Is your organization covered by the Red Flag Rules?

The Red Flag Rules apply to “financial institutions” and “creditors.” The FTC has broadly interpreted the term “creditor” so as to include any entity that permits an individual to purchase services and defer payment for those services. Therefore, any healthcare provider who allows for payment of medical services after those services have been rendered constitutes a creditor for purposes of the Red Flag Rules. The Red Flag Rules will apply to any “covered account” of the creditor, which includes any account set up to permit one or more payments or transactions or any such account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft.

What to do if you are covered by the Red Flag Rules:

You must implement a written identity theft prevention program as of May 1, 2009. For most healthcare providers, such a program will consist of carefully developed policies which will be consistently applied to detect potential identity theft that the provider could encounter in its normal operations. The policies must:

  1. Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program;
  2. Detect Red Flags that have been incorporated into its program;
  3. Respond appropriately to any Red Flags that are detected;
  4. Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.

If you have any concerns about your organization’s readiness for the upcoming enforcement of the Red Flag Rules, please do not hesitate to contact  Steven Banghart (312.977.4880) at Ungaretti & Harris for assistance.