“Red Flags” Rule: Medical Compliance by Sue Kay

The August 1, 2009 deadline for complying with the FTC’s (Federal Trade Commission) “Red Flags” Rule is just around the corner. While the American Medical Association (AMA) continues to strive to convince the FTC that physicians are not creditors and should not be subject to the Red Flags Rule; in the meantime, they are encouraging physicians and practices to implement an identity theft and protection program. In this article, you will find the basic information you need to know about the “Red Flags” Rule and resources that will help you efficiently implement an appropriate compliance plan.

The Basics

According to the FTC’s publication, “Fighting Fraud with the Red Flags Rule: A How- To Guide for Business,” the “Red Flags” Rule, in effect since January 2008, “requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent crime, and mitigate the damage it inflicts. By identifying red flags in advance, they will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.”

From a healthcare perspective, medical identity theft happens when a person seeks health care using someone else’s name or insurance information. According to the FTC, almost 5 percent of identity theft victims have experienced some sort of medical identity theft resulting in significant costs to both the patient and the providers.

Are you a “Creditor?”

The “Red Flags” Rule only applies to you if you meet the criteria for being a creditor. According to Steven Toporoff, an attorney with the FTC’s Division of Privacy and Identity Protection, the law defines “creditor” as any entity that regularly defers payments for goods or services or arranges for the extension of credit. In a May article on the FTC website (http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm ) Toporoff states:

  • You are a creditor if you regularly bill patients after the completion of services including the remainder of medical fees not reimbursed by insurance;
  • Health care providers who regularly allow patients to set up payment plans after services have been rendered are considered to be creditors;
  • Healthcare providers are considered creditors if they help patients get credit from other sources (i.e. distribute and process applications for credit accounts tailored to the healthcare industry);
  • Healthcare providers who require payment before or at the time of service are not creditors;
  • If you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not considered to be a creditor. Another term in addition to creditor that you must consider is “covered account.” The FTC defines a “covered account” as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. With that definition in mind, the accounts you establish for your patients are generally considered to be “covered accounts.”

Therefore, if you meet the criteria for a “creditor” and your patients have what are considered to be “covered accounts,” you must develop a written Identity Theft Prevention Program.

Fortunately, the AMA and several other healthcare organizations have done most of the work for you by creating template-based compliance guidelines/programs. Here are some links to these resources. Use them to efficiently, effectively and easily comply with the “Red Flags” Rule.

AMA Red Flags Rule Guidance Document:


AMA: Sample Policy


(Note: AMA member’s can access the Word version of the Sample Policy (Word) and adapt it to their individual practice.)

The MGMA has many “Red Flags” resources available (some only to MGMA members including a 30-minute Red Flags Rule Webinar).


Additionally, if you have a specific question about the “Red Flags” Rule, you can email redflags@ftc.gov.

As always, please email us at editor@efficiencyinpractice.com with any questions you may have about the information provided in this article.

Sue Kay, Senior Consultant at InHealth, is the editor of Efficiency in Practice, the free eNewsletter for medical practice managers who want to save time, money and reduce risk. For more information and to access your FREE report, The 8 Things You MUST Know About CMS’ RAC Program, visit www.efficiencyinpractice.com.

This article can be reprinted freely online, as long as the entire article and this resource box are included.

Comments are closed.