FTC rule requires doctors to monitor identify theft red flags

New rules treat doctors' offices like banks and credit card companies, holding them responsible for identity theft the same way they're responsible for patient privacy.

The Federal Trade Commission (FTC) and other agencies published a final rule on identity theft red flags that will take effect Aug. 1, and that applies to medical practices. The rule requires financial institutions and creditors—again, medical practices fall under this definition—to develop and enact a written identity theft protection program. The creation of a fictitious identity using even one single piece of information of identifying identification, including medical information, that belongs to a real person falls within the definition of “identity theft.”

[Editor's note: The rule was originally to take effect May 1; the FTC announced it would delay enforcement on April 30. This Web edition updates ACP Internist's print edition, which mailed to members before the FTC's announced delay.]


The red flags rule has been a controversial set of regulations. At its inception in July 2006, and still today, there are many who question its relevance to medical practice. The proposed rule initially went unnoticed by the medical community for several reasons. The rule came from federal agencies that are unlikely sources of health care-oriented regulations, and there was no mention of physicians, medical practices, or health care in the proposed rule. As a result, it went to final publication without comment from the medical societies. The language of the final rule added references to “medical identity theft” and “health care field,” garnering the attention of ACP and others. The rule is online.

During the time between the rule's publication until now, ACP has challenged the application of the rule to medical practices. In February 2009, a joint letter objecting to the classification of physicians as “creditors” was signed by 49 medical specialty and subspecialty associations and by 36 state medical societies. There have been in-person meetings and an ongoing exchange of letters among the ACP, the American Medical Association, many other medical associations and the Federal Trade Commission. The volume of comments from ACP and other medical societies was instrumental in obtaining a delayed implementation until May 1, and the date is now Aug. 1.

Still, because the rule now takes effect, medical practices have to accommodate it.

Q: Isn't this really for financial institutions, like banks and credit lenders?

A: Although the primary target of the rule is financial institutions, the rule also applies to medical practices. The FTC insists that physicians fit into the category of “creditors” because they routinely allow “customers” to delay their payment for services. In the final rule, the term “creditor” is defined as “a person who arranges for the extension, renewal, or continuations of credit, which in some cases could include third-party debt collectors.” ACP and the American Medical Association, along with many other medical societies, strongly disagree with this definition.

Q: Does this rule apply to the patients' medical information?

A: The rule applies to any relationship to obtain a product or service. Any service involving a deferred payment is considered an account, not just a financial account.

The rule is aimed at accounts for which there is a reasonably foreseeable risk of identity theft, i.e., consumer accounts, which are the most common targets of identity theft. Because of this, the final rules require every anti-identity theft program to cover accounts that are set up primarily for personal, family or household purposes, and that involve multiple payments or transactions. (One can infer from this that if a medical practice does not allow deferral of payments, and collects all its fees upfront at the time of service, the practice would not meet the definition of a “creditor.”)

Q: What's the difference between this rule and the HIPAA rule?

A: HIPAA protects unauthorized access of personal health information, but not the potential for medical identity theft. Although there may be some overlap, the primary differences are that HIPAA focuses on medical records data and the FTC rule focuses on financial protections. Federal government officials have not stated whether a violation of the red flags rule would also constitute a HIPAA violation.

Q: What specific type of information is being protected?

A: Although a medical office is permitted to decide which of the guidelines are appropriate, the types of information to protect are those that one might expect: name, Social Security number, birth date or a unique electronic identification number. Also needing protection are e-mail addresses or cell phone numbers.

Q: What are the red flags, and what kinds of risk factors should we consider?

A: Medical offices should consider the types of covered accounts they offer or maintain, the methods they provide to open and access accounts, and their previous experiences with identity theft. Offices should give careful consideration to practices such as offering to bill the patient for co-pays and coinsurance amount, setting up payment plans for services that are not covered by the health insurance plan, or supplying patient medical data to purported “research firms.”

Q: How can we detect red flags for our practice?

A: When opening new patient accounts, obtain identifying information to verify the identity of the person. The identifying information might be a driver's license or a state-issued photo identity card in combination with the patient's insurance card. In the case of existing patients, consider these same steps at each patient check-in, and also verify change of address requests. These steps should be taken at the first patient visit, and at subsequent visits.

Q: How can we prevent and mitigate identity theft?

A: Consider factors that may heighten the risk of identity theft, such as stolen medical records or prescription information from the trash, unauthorized password changes or breaches of the practice's e-mail system, which result in unauthorized access to a customer's account records held by the medical practice or its dealing with third parties. Also be aware when a patient provides information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site.

Business Week magazine relayed a story of how a fraud ring used patients' medical information to defraud an insurance company: “… law enforcement authorities say that more and more frauds are being perpetrated by organized crime rings who steal dozens, and sometimes thousands, of medical records, as well as the billing codes for doctors. The rings then set up fake medical clinics—offering free health screenings as a ruse to draw in patients—that submit bogus bills to insurers, collect payments for a few months, and then disappear before the insurers realize they've been had.” [Business Week. January 8, 2007.] “

Q: We have other companies working for us, on claims billing and such. Do any of the rules apply to them?

A: A physician practice could require its billing service or debt collection agency by contract to have policies and procedures to detect relevant red flags that may arise, and either report the red flags to the practice or take appropriate steps to prevent or mitigate identity theft.