Red Flags Rule: Applies to healthcare providers too...

The Red Flags Rule (Rule), codified at 16 C.F.R. § 681.2, took effect May 1, 2009. The Rule requires “financial institutions” and “creditors” who have “covered accounts” to develop and implement a written Identity Theft Prevention Program and comply with certain other requirements set forth in the Rule.

The term “creditor” is defined broadly and includes businesses and organizations that provide goods or services and bill customers later. Health care providers are among the many entities that may fall within this definition. The term “covered accounts” is defined broadly and includes any account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or the creditor of identity theft. As an example, the Federal Trade Commission (FTC) has suggested that a reasonably foreseeable risk of identity theft may arise in connection with accounts that can be accessed remotely, such as through the Internet or by telephone.

Creditors that have covered accounts—including health care providers, whether they are for-profit, not-for-profit, or governmental entities—are now required to develop and implement a written Identity Theft Prevention Program in accordance with guidelines set forth in the Rule. Failure to comply could result in $2,500 in fines for each violation.

What changes have you made to comply?