Introduction to the Red Flag Rules for Hospitals
Subscribe to the OHA/Bricker Red Flag Rules Compliance Guide for Nonprofit Hospitals
Pursuant to regulations (the Red Flag Rules) issued by the Federal Trade
Commission (FTC), "financial institutions" and "creditors" are required to
develop and implement written identity theft prevention programs, as part of
the Fair and Accurate Credit Transactions (FACT) Act of 2003. Hospitals that
accept deferred payments for medical services will fall within the definition
of "creditor" under the FTC's new Red Flag Rule and must develop and implement
written identity theft prevention programs by November 1, 2008 to comply with
these new regulations.
UPDATE: THE FTC HAS EXTENDED THE COMPLIANCE DATE UNTIL THE END OF 2010. Read more . . . .
The purpose of the written identity theft prevention program is to detect,
prevent, and mitigate identity theft in connection with new or existing covered
accounts. The program must be appropriate to the size and complexity of the
creditor and the nature and scope of its activities.
Who must comply with the Red Flag Rules?
The Red Flag Rules apply to “financial institutions” and “creditors” with
“covered accounts.” Under the rules, a creditor is any entity that regularly
extends, renews, or continues credit; any entity that regularly arranges for
the extension, renewal, or continuation of credit; or any assignee of an
original creditor who is involved in the decision to extend, renew, or continue
credit. A covered account is an account used mostly for personal, family, or
household purposes, and that involves multiple payments or transactions. Thus,
hospitals that accept deferred payments for medical services – whether they are
for-profit, non-profit, or governmental entities – will likely fall within the
definition of "creditor," requiring compliance with these rules.
Complying with the Red Flag Rules
Under the Red Flag Rules, financial institutions and creditors must develop a
written program that identifies and detects the relevant warning signs – or
“red flags” – of identity theft. The written program must include reasonable
policies and procedures to:
-
Identify relevant Red Flags for the covered accounts that the creditor offers or
maintains and incorporate those Red Flags into its program;
-
Detect Red Flags that have been incorporated into its program;
-
Respond appropriately to any Red Flags that are detected;
-
Update the program periodically to reflect changes in risks from identity theft
to customers and to the safety and soundness of the creditor from identity
theft.
Full text of the Federal
Register rules
November 9, 2007
Frequently Asked Questions From the Federal
Trade Commission on the Red Flag Rule
Federal Trade Commission's Red Flag Rule How-To Guide
FTC Publishes Red Flag Do-It-Yourself Template for Low-Risk Businesses
Read more about the
OHA/Bricker Compliance Guide for Nonprofit Hospitals and find out how you can
subscribe today.
If you are already a subscriber to the compliance guide,
click here to login.