*Update: the deadline has been moved to May 1, 2009. For more information go here.

The Federal Trade Commission (FTC) has issued regulations, called the Red Flag Rules, requiring financial institutions and “creditors” to develop and implement written identity theft prevention programs by Nov. 1, 2008.

The programs must provide for the identification, detection and response to patterns, practices or specific activities (“red flags”) that could indicate identity theft.

To the surprise of many, the FTC has now taken the position that this program also applies to many health care providers, including physicians.

The rules apply to all “creditors” who offer or maintain “covered accounts.” According to the FTC, physicians extend credit to patients when the physicians do not demand full payment for medical goods or services at the time the goods or services are provided, and thus qualify as a “creditor.” This includes payment arrangements, regardless of how rare.

The second part of the test of a creditor is whether a physician offers or maintains accounts for patients that involve – or are designed to permit – multiple payments or transactions. According to the FTC, this includes an ongoing patient relationship involving or permitting multiple payments or transactions.

An example would be the practice of collecting a co-payment at the time of service, then subsequently collecting from any third-party payers, and finally collecting any remaining amount due from the patient.

If it is determined that a provider does not maintain a covered account, the provider still falls under the rule if there is a reasonably foreseeable risk to customers or the safety and soundness of the provider from identity theft.

About a compliance program
In short, the FTC believes most health care providers are creditors who maintain covered accounts. Those entities must quickly develop identity theft compliance programs.

Identity theft compliance programs must:

1. Identify red flags
2. Detect red flags
3. Respond appropriately to detections to prevent and mitigate against identity theft
4. Be reviewed and updated periodically

The written program must be tailored to the size, nature and complexity of the business, taking into account trends in the marketplace and any historical experiences with identity theft. The program must be approved by the entity’s board of directors or a member of senior management and be updated.

To learn more
The AMA is challenging the FTC’s application of this new rule to physicians (See story below.). In the meantime, entities to which the rule applies must be in compliance by Nov. 1*. Sanctions for failure to comply with these rules can include civil action and fines of $2,500 per infraction.

For further information, read the FTC’s final rule here and an FTC business alert here. The rule contains an appendix (72FR63774) to assist businesses to set up the red flags.

For more on how to address the requirement, check out the suggestions for health care providers from the non-profit World Privacy Forum here.

Contact the ISMA Legal Department to obtain a referral to a health care attorney who can help you determine if these rules apply to you and help you implement a program.