The Fair and Accurate Credit Transaction Act:  Red Flag Rules

The Red Flag Rules are a product of the Fair and Accurate Credit Transaction Act (FACTA), which President Bush signed into law in December 2003.  The Federal Trade Commission has given an effective date of November 1, 2009, for the enforcement of the identity theft Red Flag Rules.  Final regulations took effect January 1, 2008.

The Red Flag Rule requires financial institutions (an institution that extends credit) and creditors to develop a program to identify, prevent, and mitigate identity theft.  “Red Flags” are described as relevant warning signs of identity theft.  These may include, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.  The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

The Red Flag Regulations have three parts, two of which pertain to the health care industry.  The first applies to anyone who uses “consumer reports” for employment, insurance, or credit purposes.  The second places obligations on “creditors and financial institutions” to detect, prevent, and mitigate identity in relation to accounts covered under the Red Flag Regulations.

Address Discrepancy Rule

Though the identity-theft red flag rules are significant for creditors only, the final rules provisions on what an employer must do upon the receipt of an address discrepancy apply to all employers conducting background checks through a consumer reporting agency for making employment decisions. 

Users of consumer reports are required to develop and implement reasonable policies and procedures to deal with and address mismatch.  These policies and procedures must allow the employer to form a “reasonable belief” as to whether the applicant is the person they claim to be.  Additionally, users of consumer reports who have a continuing relationship with the applicant and who “regularly and in the ordinary course of business furnish information to the agency from which they received the report”, must report a reasonably confirmed address to that agency where there is an address discrepancy.   This will require diligence in reviewing applicant’s information.

Red Flag Identity Theft Program

In June 2008, the FTC issued a business alert that stated  the rules apply to nonprofits that defer payments for goods and services, , have a continuing relationship with a payee, hold a consumer account designed to permit multiple payments or transactions, maintain an account for prepayment for services to be made, and any other account for which there is a reasonable foreseeable risk from identity theft.

Health care organizations can incorporate the rules’ identity-theft policies and procedures into existing compliance programs.  There is no requirement that these rules be separate from the existing compliance program. 

Five Categories of Red Flags:

• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers (e.g., fraud or active duty alert contained in consumer report).
• Presentation of suspicious documents (e.g., identification documents seem altered).
• Unusual use of, or other suspicious activity related to, a covered account (e.g., account used in a way that doesn’t mesh with historical patterns).
• Notices from customers, victims of identity theft, or law enforcement authorities (e.g., customer notifies organization of unauthorized charges).

Organizations must conduct a risk assessment.  Part of the reason for a risk assessment is to minimize the burden on organizations that don’t have a high risk of identity theft.  If they are subject to the rules, organizations must fulfill the following four requirements for an identity-theft program: identify red flags; detect red flags and incorporate them into a written prevention-and-detection program; respond appropriately to red flags; and periodically update the identity-theft program.

Medical identity theft is not just a financial issue – commingled with medical records it can do real harm to people.  The focus is on detection and the practicality of the rules. 

The rules will be enforced administratively.  There are no criminal penalties for violating them and no private right or action (i.e., individuals cannot sue entities privately for red flag breaches).  State attorneys general also have the authority to enforce the rules.  This program is risk-based and flexible and should not cause providers  to panic.

However, the requirement for red flag address verification may apply to providers as an employer, if they use consumer reports for address verification.

A comprehensive identity theft prevention program must be established by those affected by the Red Flag Rules.  The exact nature of the program is not specified, however, review process may include the following:.  identify covered accounts, identify red flags, assess risk levels, determine appropriate response, document risk assessment, prepare identity theft program, obtain board/senior employee approval, report annually thereafter, assign responsibility, and train staff.

In addition, the policies and procedures for Human Resource Departments that utilize consumer reports for address verification must be revised to comply with the address verification requirements.

Sources

1. Federal Trade Commission, Consumer Protection Article:  The “Red Flags” Rule:  What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft  http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm
2. Report on Medicare Compliance: FTC Expects Good-Faith Efforts at Compliance With ‘Red Flag Rules,’ 10/20/08.
3. SHRM HR Knowledge Center: Express Requests – Address Discrepancy Rule Effective 11/1/08, 10/3/08.
4. American Health Lawyers Association: Red Alert – Red Flag Rules May Apply to You, 10/1/08.
5. See 16 C.F.R. § 681.3
6. See 16 U.S.C. 681.1(a), 681.1(c), 681.1(d)(iii), 681.2(a), 681.2 (a)(3)(i), 681.2(b)(1), 681.2(b)(3)(ii), and 681.2(d).