ATLANTA — Just when you thought you had all the newest rules and regulations under control, it's time to make sure you're ready for the FTC's "Red Flags Rule" on identity theft. The full text of the rule, which includes guidelines for developing an identity theft program (beginning on page 63773), is available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. To gain a better understanding of its legal requirements, HomeCare asked health care attorney Jeff Baird, chairman of the Health Care Group at Brown & Fortunato, to explain the Red Flags Rule. His Q&A on the basics of the rule, which has a compliance date of May 1, follows:

Q: What is the Red Flags Rule?

A: The Red Flags Rule is a set of regulatory provisions regarding the prevention and mitigation of identity theft, including medical identity theft. Section 114 of the Fair and Accurate Credit Transactions Act of 2003 amended the Fair Credit Reporting Act of 1970 to require federal bank regulatory agencies, the National Credit Union Administration and the Federal Trade Commission to jointly develop rules and guidelines regarding identity theft. The final Red Flags Rule was published Nov. 9, 2007, and initially required a compliance date of Nov. 1, 2008. The compliance date was subsequently delayed to May 1, 2009. This means that the Red Flags Rule is effective right now.

Q: Is the Red Flags Rule applicable to HME suppliers?

A: Yes, the Red Flags Rule applies to most, if not all, HME suppliers. The Red Flags Rule applies to "financial institutions" and "creditors" that maintain "covered accounts." The American Medical Association argued that a health care provider is not a "creditor" under the rule. However, the FTC considers a creditor to be any entity that regularly defers payment for goods and services. In other words, a health care provider that bills patients after services are rendered or that bills third-party payers for services rendered to patients is a creditor under the rule. A health care provider that requires payment before or at the time of service is not a creditor.

A "covered account" is a consumer account that allows multiple payments or transactions, or has a reasonably foreseeable risk of identity theft. The FTC takes the position that patient accounts are generally covered accounts under the rule.

Q: What are the basic requirements of the Red Flags Rule?

A: Entities subject to the Red Flags Rule are required to develop a written identity theft prevention program to spot warning signs, or "red flags," of identity theft. The program must include reasonable policies and procedures that address four basic elements.

First, the program must have policies and procedures to identify red flags during the day-to-day operation of the business. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if the patient must show some form of identification during intake, then an identification card that looks fake would be a red flag.

Second, the program must have policies and procedures to detect the red flags that have been identified. Continuing the above example, if a fake ID is a red flag, then the program must have policies and procedures in place to detect fake IDs. Third, the program must specify the steps the HME supplier will take when a red flag is detected. The steps should be designed to prevent and mitigate any harm from the detected red flag. In our example, the program would need to specify what actions the HME supplier will take when it determines that a patient has presented fake ID to law enforcement.