Red Flag Rules

FTC Announces it Will Grant a Six-Month Delay of Enforcement of the “Red Flag Rules”

Ambulance Services Now Have Until May 1, 2009 to Implement Identity Theft Prevention Programs

There is good news for many ambulance services who have recently learned, or may not yet be aware of the fact that they are subject to the “Red Flag Rules” – new regulations that would require most services to implement and administer an Identity Theft Prevention Program (“Program”) by November 1, 2008.  On October 22, 2008, the Federal Trade Commission (FTC) announced that it will forbear from bringing any enforcement action for violation of the Red Flag Rules (“Rules”) for six months, allowing many organizations a window of opportunity to implement a Program.   

Ambulance services need to take immediate steps to familiarize themselves with the requirements under the new Rules and implement an Identify Theft Prevention Program before the FTC initiates enforcement action on May 1, 2009.

Click here to read the Red Flag Rule. (PDF Format)

Click here to read the Red Flag Rule Delay of Enforcement. (PDF Format)

Background of the Red Flag Rules

On December 4, 2003, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added several new provisions to the Fair Credit Reporting Act (FCRA).  The FACTA directed several government agencies to issue regulations and guidelines regarding the detection, prevention, and mitigation of identity theft.  On November 9, 2007, the FTC and other federal bank regulatory agencies issued joint regulations collectively referred to as the “Red Flag Rules”. 

The Red Flag Rules require financial institutions and creditors to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with new and existing accounts. Under the November 9, 2007 joint regulations, organizations that are subject to the Rules are required to have Programs in place by November 1, 2008.  While most financial institutions that are subject to the jurisdiction of the federal bank regulatory agencies must still comply with applicable regulations by November 1, 2008, the FTC has stated that it will forbear enforcement action against certain creditors, including most healthcare providers, who were unaware that they were covered by the Rules. 

Most ambulance services will meet the definition of a creditor under the Red Flag Rules and are therefore required to be in compliance the FTC’s regulations. 

Why Ambulance Service are Covered Under the Red Flag Rules?

The Rules apply to organizations who meet the definition of a “creditor” that offers or maintains “covered accounts.”  These terms are defined very broadly and most ambulance services are creditors with covered accounts under the definitions in the Red Flag Rules. 

The Red Flag Rules define “creditor” to mean any person who regularly extends, renews, or continues credit. “Credit” means the right granted by a creditor to a debtor to defer payment of debt. Unfortunately, the FTC has not defined the term "regularly” so we are left with a very broad definition that could mean any organization that grants credit.  The FTC stated in a recent June 2008 Business Alert, “[w]here [entities] defer payment for goods or services, they, too are to be considered creditors.  Most creditors . . . come under the jurisdiction of the FTC.”  Many ambulance services, offer patients deferred payment plans or installment payments and would therefore meet the definition of a “creditor” under the Red Flag Rules.   

A "covered account" is defined as a continuing relationship between a person and a creditor in which the creditor maintains or offers the account for the purchase of goods or services for personal, family, household or business purposes, that either: (1) permits multiple payments or transactions; or (2) in which there is a reasonably foreseeable risk to customers or the creditor of identity theft.  Any patient billing account that an ambulance service has established (itself or through its third party billing company) would likely be a “covered account” if the patient is permitted to make multiple payments on the account.  Patient billing accounts could also fall under the second category of “covered accounts” because of the reasonably foreseeable risk that they would be affected by identity theft.

Elements of an Identity Theft Prevention Program

Because most ambulance services likely meet the definition of “creditor” and maintain “covered accounts,” ambulance services are required to establish reasonable processes and procedures to combat identity theft in connection with opening and maintaining the covered accounts, i.e., an Identify Theft Prevention Program.  The Rules state that the Program must be written, and it must be appropriate to the size and complexity of the organization and the nature and scope of the organization’s activities. 

The Program must include reasonable policies and procedures to: (1) identify relevant Red Flags, and incorporate those Red Flags into the program; (2) detect Red Flags that have been incorporated into the program; (3) respond appropriately to any Red Flags that are detected; and (4) ensure the program is updated periodically.  Red Flag means “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”

Administration of an Identity Theft Prevention Program

The initial written Program established by an ambulance service must be formally approved by the service’s board of directors or an appropriate committee of the board.  The ambulance service must also involve the board or an appropriate committee or designated employee to oversee the development, implementation, and administration of the Program.  Administration of the program must include staff training to effectively implement the Program, and must also include oversight of relevant service provider arrangement.

An ambulance service must also periodically conduct risk assessments to determine whether it offers or maintains covered accounts. The risk assessment must take into consideration: (1) the methods that the service provides for opening accounts, (2) the methods the service provides to access its accounts, and (3) and the service’s previous experiences with identity theft.

In addition to the requirements above, the FTC published guidelines in an appendix to its regulations to assist organizations in the formation of their Red Flag programs. Ambulance services should be aware that the Program can be flexible and the FTC does not require any specific language, policies or procedures. Ambulance services need to comply with the basic requirements in the regulations and they have the ability to tailor the Program appropriately to the size and complexity of the organization.  This means that while larger organizations may have to develop a distinct, comprehensive program in addition to other programs they have in place, smaller organizations may opt to incorporate the Program into existing policies and procedures.  Each service will have to make an individual determination in accordance with the general requirements of the Red Flag Rules and take appropriate steps for compliance.