Red Flag Rule

WPF updates Red Flag report

WPF Red Flag Report -- The World Privacy Forum has updated its Red Flag report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The update reflects the new effective date of the Red Flag Rule, (November 1, 2009) and incorporates other minor updates in the text. This report replaces the original Red Flag report published September 2008.

Red Flag Rule: Executive Summary

Under recently issued regulations, the Federal Trade Commission requires financial institutions and creditors to develop and implement written identity theft prevention programs. The broad purpose of these Red Flag and Address Discrepancy Rules [1] is to require financial institutions and creditors to formally address the risks of identity theft and develop a mitigation plan. Health care providers can be creditors and, therefore, subject to the new rules, which were originally were scheduled to take effect on November 1, 2008. The FTC suspended enforcement until November 1, 2009. [2]

Red Flag Rule: Background

The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e). Another FCRA amendment calls for additional joint regulations offering guidance regarding reasonable policies and procedures that a user of a consumer report (e.g., a credit grantor) should employ when the user receives a Notice of Address Discrepancy. 15 U.S.C. § 1681c(h).

Red Flag Rule: How the Red Flag Rule Affects Health Care Providers

The Red Flag Rule applies broadly to financial institutions, credit grantors, and some others, including some health care providers. A health care provider comes under the Red Flag rule if the provider: 1) meets the definition of creditor under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A health care provider comes under the Address Discrepancy Rule if they: 1) use consumer credit reports.

Red Flag Rule: What are the Obligations for a Health Care Provider Covered by the Red Flag Rule as a Creditor?

A health care provider that qualifies as a creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program. The purpose of the program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. A large hospital will need a more robust program than a two-doctor office.

Red Flag Rule: What are the Address Discrepancy Obligations for a Health Care Provider That Uses Credit Reports?

The Address Discrepancy rule requires a user of a consumer report (credit report) to develop and implement reasonable policies and procedures to enable the user to deal with an address discrepancy. These requirements are narrower than the Red Flag rule for creditors. However, applicability of the address discrepancy requirement may affect a broader class of health care provider (and health insurers) than the Red Flag rule.

Red Flag Rule: Appendix 1 - Reproduction of the Red Flag and Address Discrepancy Guidelines and Supplement

Following is a reproduction of the Guidelines and Supplement to the Red Flag and Address Discrepancy Rules. The rulemakings may be found at Federal Trade Commission et al., Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. (Nov. 9, 2007), <http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf>.

World Privacy Forum Publishes Red Flag Rule Suggestions for Hospitals and Providers; new FTC-enforced rules go into effect Nov. 1, can apply to health care providers

SAN DIEGO, Ca., Sept. 24 -- The World Privacy Forum’s latest report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, discusses the applicability of the new FTC regulations to the health care sector along with suggestions for providers. The report addresses newly issued regulations by the Federal Trade Commission that require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers – whether they are for-profit, non-profit, or governmental entities – may have obligations under the new rules.

World Privacy Forum Comments on "Red Flag" Guidelines for Identity Theft, Requests Addition of Medical Identity Theft to Red Flag Rule

Identity theft | medical identity theft -- The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies today regarding the joint draft rule on "Red Flags" for identity theft. In its comments, the World Privacy Forum requested that medical identity theft be added to several aspects and portions of the proposed rule. Adding medical identity theft to the rule is essential to help close gaps in protection for consumers and to encourage health care providers to attend to victims' challenges and needs regarding medical identity theft.