Identity Theft - Red Flag Rules

Identity Theft Red Flags Rule

Presented by:   Stan Thiebaud 
                              Stinnett Thiebaud & Remington LLP

Identity Theft Red Flags Rule—Originated from the Red Flag and Address Discrepancy Rules are part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 that designates health-care providers, including hospitals, medical practices, and other health-care providers as creditors.

Date of Implementation:

The rules were to become enforceable on November 1, 2009, but on October 30th, the FTC granted an extension until June 1, 2010 for offices to be in compliance.  Members of Congress asked for the extension based on the recent decision by the U.S. District Court for the District of Columbia which ruled that the FTC may not apply the Red Flags Rule to attorneys.  Similarly, the American Medical Association has been urging the FTC to exempt physicians from the Rule. In mid-October, House Bill 3763 was submitted to Congress seeking exemption of certain businesses from the Red Flags Rule.  This bill includes health care practices with 20 or fewer employees.  It appears Congress wants more time to consider this bill before any enforcement deadline. 

Who Must Comply?

The Red Flags Rule apply to any entity that meets the definition of a creditor and maintains covered accounts, regardless of whether the health-care provider is a for-profit or not-for-profit entity.

Purpose of the Rule:

Requires applicable entities to implement a Written Identity Theft Prevention Program designed to detect the warning signs—or “Red Flags”—of identity theft in their day-to-day operations, takes steps to prevent the crime, and mitigate the damage it inflicts. 

By identifying “Red Flags” in advance, entities will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from becoming a costly episode of identity theft.

For hospitals, physicians, ambulatory surgery centers and other healthcare providers—the goal is to protect against medical identity theft.

What is medical identity theft?

Occurs when someone uses a person’s name and sometimes other parts of their identity like their date of birth or insurance information without that person’s knowledge or consent to obtain or make false claims for medical services or goods.  Medical identity theft can also result in erroneous entries into existing medical records and can involve the creation of fictitious medical records in the victim’s name.


In 2008, HIMSS (Healthcare Information and Management Systems Society) conducted a survey of 155 hospitals and ambulatory facilities across the United States regarding medical identity theft.  Of the 155 providers, 20% had experienced medical identity theft at their facility. 

Approximately 250,000 people were victims of medical identity theft in 2005 according to the Federal Trade Commission.  It is estimated that 1 in 23 identity theft victims is a victim of medical identity theft. 

“Stealing and cashing in on medical identities is the 'theft of the future,' according to Kirk Ogrosky, deputy chief for health care fraud in the Department of Justice's criminal division.

What is the draw to medical identity theft?

According to the FTC, a Social Security card is worth $1 on the street, while stolen medical ID cards will fetch between $25 and $50 per identity. “They are worth more because it is so much easier to steal your medical identity information and submit a false claim against your insurance coverage,” says, AHIMA’s director of practice leadership, Harry B. Rhodes. “The average insurance card is usually very plain with only your name on it—no photo, no computer chip like credit cards have—so it is much easier to steal and submit a false claim compared to credit card theft.”

The economic benefits are more lucrative as well. “Credit card limits are usually $20,000 or much less nowadays. But the lifetime benefits on insurance are in the millions of dollars. Victims of medical identity theft often realize that their medical identity has been stolen when they are denied benefits because they’ve reached their limit,” Rhodes says.

Cost of Medical Identity Theft to Healthcare Organizations

Healthcare fraud costs between $70 billion and $255 billion per year, which is between 3% and 10% of total U.S. healthcare spending.

The FTC says that it takes five to 20 hours to clean up records after every incident, at a cost of $182 per record.

Privacy experts are concerned as we push towards electronic medical records (EMRs), it will be easier for people to gain unauthorized access to sensitive patient information on a large scale. 

The Identity Theft Red Flags Rule is the federal government’s current response to this concern as EMRs become the norm in our medical practices and facilities. 


Creditor—offer or maintain accounts primarily for the customer’s personal, family or household purposes that involve or are designed to permit multiple payments or transactions OR regularly extend, renew, or continue credit, or regularly arrange for the extension of credit by not demanding payment for goods or services immediately when provided.

**The Federal Trade Commission considers physicians and healthcare providers who accept insurance or allow payment plans to be creditors and therefore subject to the Red Flags Rule.  Healthcare providers extend credit by allowing deferred payments until the insurance is collected. 

The AMA is currently fighting this interpretation by the FTC.

Who is not a creditor? If your practice requires payment in full at the time of service, i.e. cash, credit card, Medicare, or Medicaid, then you are not considered a creditor for purposes of this Rule. 

Covered Account—There are two categories of accounts covered:

1) within a physician’s practice, any account offered for the patient’s personal, family or household purposes and is designed for multiple transactions OR

2) an account that has a foreseeable risk of identity theft to patients served by the entity or to the safety and soundness of the entity. (i.e. within a physician’s practice—single transaction consumer accounts)

**Key to Category 2)—category 2) accounts are considered covered accounts “only if the risk of identity theft is foreseeable”. 

Red Flag—a pattern, practice or specific account activity that indicates the possibility of identity theft. 

The FTC identifies the following as “Red Flags”:

Knowing Violation--A 'knowing violation' is not a term defined in the Red Flag Regulations. It is defined by federal courts. Generally, courts have ruled that knowing violations are violations of a law that occurs when a person knows his or her legal obligation and purposefully disregards them or is indifferent to them. (Discussed in American Arms Intern v. Herbert, 563 F.3d. 78 (C.A.4 (Md.) 2009).

Red Flags Rule different than HIPAA

While HIPAA protects personal health information, the Red Flags Rule is designed to protect other private and sensitive identifying information including:


How to comply?

Rule requires organizations to have “reasonable policies and procedures in place” to identify, detect and respond to identity theft “red flags”.  The definition of “reasonable” depends on your practice’s specific circumstances or specific experience with medical identity theft as well as the degree of risk for identity theft in your practice.  The policies should complement your current practice’s HIPAA privacy and security policies and procedures that outline the administrative, technical, and physical safeguards your practice uses to ensure the security of your patient’s personal health information. 

Implementation of Red Flags Program

Risk Assessment

Sample Red Flags Program:


      Updating the program factors:

How to Administer Program:

How to Detect Red Flags:

 Real World Examples:

How to Prevent and Mitigate Identity Theft:

Enforcement of Rules:

Current Legislation and How it May Impact Your Practice