Security breaches at hospitals and other health care entities are occurring with alarming frequency, as evidenced by the nearly daily news stories covering this critical issue. While the threat that a security breach could result in identity theft of an entity's customers is a concern facing all consumer-based industries, recent news reports have focused on the fact that health care companies are particularly vulnerable to security breaches. Health care entities are a ripe target for security breaches due to the sensitive nature of the patient information that they house, such as personal identifying information (address, date of birth, social security number, etc., of a patient), financial information (patient's account numbers, credit card numbers, etc.) and medical records (medications, HIV status, mental health, etc.). The unfortunate reality is that health care entities must fend off not only the traditional form of identity theft, which is an unauthorized acquisition or use of data that compromises the security, confidentiality, or integrity of a patient's personal information, but also medical identity theft. Medical identity theft, which is on the rise partly due to the increasing numbers of uninsured, occurs when someone falsely uses another person's name or insurance or benefits information in order to obtain medical services or products, such as prescription pharmaceuticals. Medical identity theft can be devastating to the individual whose information is fraudulently used in that it can create a false medical record, jeopardizing future care to the victim. It also presents financial, operational, and administrative difficulties for health care providers. Although a broad spectrum of entities, including banks, mortgage lenders, credit unions, utility companies, car dealers and telecommunications companies, will be subject to the Red Flag Rules ("Rules"), this article focuses on their applicability to the health care sector, where many companies may not ordinarily think of themselves as "creditors."
Applicability Of The Red Flag Rules To Health Care Entities
The Federal Trade Commission ("FTC") promulgated final regulations in conjunction with The Fair Credit Reporting Act, as amended in 2003, requiring financial institutions and other creditors to adopt written identity theft prevention programs designed to prevent, detect, and mitigate the effects of identity theft. Such regulations, known as the "Red Flag Rules," are applicable not only to financial institutions, but to any entity that meets the definition of a creditor and maintains covered accounts , regardless of whether the health care provider is a for-profit or not-for-profit entity or in the government or private sector.
A creditor is defined as any entity that " regularly extends, renews, or continues credit; [or] any [entity] who regularly arranges for the extension, renewal, or continuation of credit." During an American Health Lawyers Association teleconference on October 1, 2008, an attorney from the FTC (the "FTC Representative"), defined "credit" in very broad terms as the right granted to a debtor to defer payment for goods or services. There has been some speculation about whether there is a quantifiable definition of "regularly" extending or arranging for credit, which is relevant to an entity's determination as to whether it is a "creditor" that must comply with the Red Flag Rules. While the regulations do not provide a bright-line test on this issue, the FTC Representative stated that, in her view, "regularly" is interpreted to mean a regularly occurring business practice. Accordingly, under her interpretation, hospitals and other health care providers are creditors if they, as a regular business practice, do not require all patients to pay for medical goods or services at the time that such goods or services are provided.
A covered account is an account used primarily for personal, family or household purposes, which involves multiple payments or transactions. For example, offering extended payment plans to patients makes an entity a "creditor" that offers "covered accounts." In order to determine whether an entity maintains "covered accounts," the entity must conduct a risk assessment, which takes into account the methods it uses to open accounts, the access to such accounts, and the entity's previous experience with identity theft. This risk assessment must be conducted as an initial matter, and also must be conducted on a periodic basis in order to determine the applicability of the Red Flag Rules to that entity.
Delayed Compliance Deadline Now August 1, 2009
Entities covered by the Rule were originally required to comply with the FTC Red Flag Rules, including the requirement to adopt a written identity theft prevention program, by November 1, 2008. On October 22, 2008, the FTC announced that it extended the deadline to comply with the Red Flag Rules to May 1, 2009, due to confusion over which industries and entities are subject to the Red Flag Rules. On the eve of the May 1 compliance deadline, the FTC announced that the date by which entities must comply with the Red Flag Rules has been further extended to August 1, 2009.
In its April 30 press release, the FTC stated that it "will delay enforcement of the new 'Red Flags Rule' until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs." The FTC also announced that it plans to release guidance designed for entities that have a low risk of suffering from an identity theft incident, to help them comply with the Red Flag Rule requirements. The FTC continues to emphasize that the rules themselves are not changing, but that the announcement merely suspends enforcement of these rules until August 1, 2009. This compliance extension again gives affected entities some breathing room; however, it is critical for each entity to move forward with its analysis of whether it meets the definitions of a creditor with covered accounts in order to determine whether its board or other governing body must adopt a written identity theft prevention program by August 1, 2009.
Written Identity Theft Prevention Program
Hospitals and other health care providers that are "creditors" and maintain "covered accounts" must comply with the Red Flag Rules by implementing a written identity theft prevention program. This written identity theft prevention program must be approved and adopted by the Board of Directors or equivalent governing body. This written identity theft program must contain policies that:
• Identify "red flags," including relevant patterns, practices and/or activities that potentially implicate identity theft (see examples below);
• Detect the "red flags" that are identified in the program;
• Respond to "red flag" incidents that are detected in order to prevent and mitigate the effects of identity theft; and
• Ensure that the program is reviewed and updated periodically in order to adjust to changing and developing identity theft risks.
The patterns, practices, incidents or activities that constitute "red flags" of identity theft will vary based upon the particular entity's operations. However, an appendix in the Rule identifies 26 potential red flags, so a good starting point is to consider which of those 26 examples apply to a company's circumstances. Entities may find that their "red flags" will fall under some or all of the following categories: 1) alerts, notifications or warnings received from a consumer credit reporting agency; 2) the presentation by individuals of suspicious documentation that appears to be altered or inconsistent with other documents on file; 3) the submission of suspicious personal identifying information, such as multiple addresses; 4) unusual or suspicious use of or access to a patient's covered account; or 5) notification from patients or law enforcement authorities indicating suspected or actual identity theft.
While each written identity theft prevention program must contain the four fundamental elements listed above (identify, detect, respond, ensure), the manner in which such written policies are implemented should be based upon the size and scope of the entity and a self-assessment of the likelihood of identity theft in light of the entity's operations. In other words, one size does not fit all. Each entity should tailor its program to be appropriate for its operations, its patients, and its technological capabilities. Importantly, hospitals and other health care entities should identify and incorporate into their program "red flags" of medical identity theft in addition to traditional financial identity theft. Implementation of an appropriate program will require coordination between information technology personnel, management personnel, and then ratification by the Board of Directors.
Compliance Deadline And Implementation
The August 1 deadline is rapidly approaching, especially for entities in the health care field that may have been unaware of these Rules. The FTC has emphasized that these requirements should not cause panic within the health care community because it is likely that a health care entity's HIPAA Privacy and Security Policies already include several of the protective and preventative measures that are required under the Red Flag Rules. The Rule requires training of relevant staff - those in a position to detect and respond to Red Flags - as well as implementation of measures to ensure any service providers who might detect red flags also comply with the Rule. Thus, while the FTC asserts that the Rules are flexible and should not be burdensome, substantial compliance measures will be required. The FTC has the authority to impose a penalty of $3,500 per incident of a knowing violation of the Rules, so doing nothing is not a viable option.
Other Laws Relating To Security Breaches And Identity Theft
In addition to the Red Flag Rules, security breaches and potential customer or patient identity theft can implicate other laws and regulations. Approximately 45 states have enacted various forms of security breach notification laws, which require entities that experience a security breach that compromises identifying personal information, to report such breaches to certain authorities and to notify the affected individuals, often within very short timeframes. Additionally, the FTC in April 2009 published a proposed rule setting forth for the first time federal security breach notification requirements. Companies that experience a security breach should refer to the applicable state security breach law, consider the federal requirements and contact counsel in order to take the steps necessary to comply with all notification requirements in a timely manner.
H. Carol Saul is a Member of the Firm at Epstein Becker Green, P.C. in the Health Care and Life Sciences Practice in the Atlanta office. Her practice focuses on regulatory counseling to the healthcare provider sector, including on evolving issues relating to privacy and security of health information. She may be reached at (404) 923-9069. This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.