New guidance available as FTC again delays Red Flags Rule

The new deadline is November 1, 2009.

by Legal and Regulatory Affairs Staff

August 27, 2009 — The Federal Trade Commission (FTC) announced at the end of July an additional delay in its enforcement of the Red Flags Rule (Rule) designed to prevent identity theft. The new deadline is November 1, 2009.

The FTC extended the deadline so that businesses could take advantage of additional guidance and resources that the Commission has developed to help businesses determine whether they are covered by the Rule and, if so, how to comply.

The additional guidance related to psychologists clarifies:

  • When the Rule applies to health care providers

  • How to comply — including a template for a compliance program

  • Who has a low risk of identity theft

  • The consequences of noncompliance

Overall, the recent FTC guidance is consistent with material in the March and April 2009 issues of this Practice Update e-newsletter describing how the Rule affects psychologists.

Does the Rule apply to you?
The FTC's guidance confirms that psychologists (and other health care providers) are subject to the Rule if they fit the federal law definition of "creditor" by regularly letting patients defer payment for services — for example, if you regularly bill patients after you provide services, including billing patients later for the remainder of fees not reimbursed by insurance. (See our April 2009 article for a more detailed discussion of triggering the Rule by billing patients for fees not covered by insurance.)

The FTC indicates that the term "regularly" means "more than just an isolated occurrence" for your practice. Thus, we continue to recommend that if you allow patients to defer payment more than once a year, you should take the relatively basic steps necessary to comply with the Rule.

The Commission also made it clear that accepting credit card payments, does not, by itself, make you subject to the Rule.

How do you comply with the Rule?
The new FTC guidance reiterates that there is no single way to comply with the Rule because compliance programs should be tailored to the nature of your business, its size and level of identity theft risk. The bottom line, however, is that compliance requires an Identity Theft Prevention Program (Program) appropriate for your practice.

Recently, the FTC developed a simple online template that any business with a low risk of identity theft can use to develop a Program. (The next section describes "low risk.")

However, we believe that our Program template designed for psychologists is more tailored to the needs of typical low-risk solo and small psychology practices. Further, it provides details about how to detect and respond to potential identity theft.

We've created a newly revised version of our Program template (DOC, 67 KB, originally prepared for the March 2009 issue of PracticeUpdate).

Does your practice have a low risk of identity theft?
The FTC listed the following three factors for determining whether a business has a low risk of identity theft and therefore can use the FTC's very simple online template. After each factor, we provide our assessment of whether and when that factor is likely to apply to psychologists. (If you use our Program template, you can check off the factors that apply to your practice when completing Part I of the Program.)

We expect that most psychology practices will qualify as low risk under at least one of these factors:

You are involved in a type of business where identity theft is rare. For example, if there are no reports in the news, trade press, or among people in your line of business about identity theft and your business itself has not experienced incidents of identity theft, it is unlikely that identity thieves are targeting your sector.

This is the factor that we expect to apply to most psychologists — at least those whose practices have not experienced identity theft. While the FTC reports that almost 5 percent of identity theft victims had some form of medical identity theft, we are aware of no reports of identity theft involving psychology practices.

You know your clients individually. For example, some practices are familiar with everyone who walks into the office. In such a circumstance, the likelihood that an identity thief can defraud a business by impersonating someone else is extremely low.

This factor would primarily apply to psychologists practicing in small, close-knit communities who already know clients or prospective clients who come to their practice.

You provide services to customers in or around their home. The risk of identity theft is extremely low because identity thieves generally do not want people to know where they live.

While few psychologists provide home care, we expect that there would be a similar low level of risk for psychologists who provide services in inpatient settings where the facility has already verified the patient's identity at the time of admission.

If none of the three factors above appears to apply to your practice, we expect that you can still use the model Policy that accompanies this article because it is more detailed than the FTC's template.

What happens if you don't comply?
The latest guidance from FTC further clarifies potential consequences of noncompliance.

Penalties and injunctive relief. The FTC can seek both monetary civil penalties and injunctive relief for violations of the Rule. The maximum civil penalty per violation is $3,500. The FTC does not specify how it would determine the number of violations. (In some enforcement schemes, for example, each day of non-compliance may be deemed a separate violation.)

Enforcement actions. The FTC would typically seek penalties and injunctive relief through a lawsuit filed by the U.S. Department of Justice.

While the Rule requires compliance by all health care providers who are "creditors," the FTC recognizes that your risk of identity theft may be so low that, as a matter of prosecutorial discretion, FTC staff would be "unlikely to recommend" bringing a law enforcement action against businesses that have a low risk of identity theft.

Despite the FTC's vague assurance, for the following reasons we recommend that psychologists who believe that they are "low risk" take the relatively simple steps necessary to comply with the Rule:

  • The FTC's statement that it is "unlikely" to recommend an enforcement action is not a guarantee, and the Commission is free to change its enforcement policy in the future.

  • The FTC may analyze your risk differently than you do.

  • If you choose not to comply and your patients' identity is stolen, your patients might bring a licensing board complaint or lawsuit alleging that they were harmed by your failure to follow the Rule. Conversely, if your patients' identity is stolen and you have made good faith efforts to comply with the Rule, you can argue that you have made reasonable efforts to protect your patient's identity by following FTC's guidance.

  • Regardless of legal consequences for your practice, implementing an identity theft Program is a relatively easy way to reduce the risk of identity theft for your patients.

Reassessment. The FTC guidance also reiterates that you should periodically reconsider whether your identity theft risk has changed, warranting a different approach with respect to the Rule.

For additional guidance, you may wish to visit the FTC's Identity Theft Site.

Members also may contact our Legal and Regulatory Affairs Department at 800-374-2723, ext. 5886, or send an e-mail.

PLEASE NOTE: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single document. In addition, laws change over time and vary by jurisdiction. The information in this document should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.