The FTC's Red Flag Rule: not just another nuisance.

• Author: Mellow, Mary Anne

This article originally appeared in the August 2009 Medical Defense and Health Law Committee Newsletter.

November 1st marks the first day for mandatory compliance with the Federal Trade Commission's Red Flag Rule, which applies not only to creditors and financial institutions, but also to some health care clients. (1) (The original extension of August 1st for compliance was extended by the FTC on July 29, 2009 to November 1, 2009). (2) Some in the health care community have fretted compliance with this Rule, but rest assured, compliance is attainable, and it is not too late to take steps to fall in line.

Aside from the implementation plan required for all covered entities, compliance should be viewed as an ongoing process in accordance with common sense and a spin off of the Golden Rule: "Do unto others medical records and personal information as you would have done to your own." (3) With that in mind, emphasizing to clients the importance of safeguarding medical information and protecting the integrity of patient accounts will ease the burden of compliance.

Red Flag Rule Overview

The Red Flag Rule was enacted by the Federal Trade Commission (FTC) in November of 2007 as an amendment to the Fair Credit Reporting Act to combat the rise of both traditional and medical identity theft. (4) The Rule targets creditor and financial institutions, but may also apply to health care entities who provide services on credit. (5)

Traditional identity theft occurs when a criminal obtains another individual' s financial and/or personal information in order to obtain credit cards and/or use that person's identity for financial gain at the expense of the victim's credit score. (6) The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to prohibit and prosecute incidents of traditional identity theft. (7)

Medical identity theft occurs "when someone uses a person's name and sometimes other parts of their identity--such as insurance information--without a person's knowledge or consent to obtain medical services or goods." (8) Unlike traditional identity theft which typically only causes financial harm to the victim, medical identity theft has the (9) Potential for life-threatening consequences. Incorrect personal information or false medical record entries can lead to the misadministration of health care which can cause harm and sometimes death. (10) As such, medical identity theft can also lead to malpractice claims against a...