FHCA Web Site

Identity Theft Regulations: Red Flag Rules

FTC Grants Three-Month Delay of Enforcement of Red Flags Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs.

Facilities need to take steps to develop and implement an identity theft program. The Identity Theft "Red Flag" rules became effective November 1, 2008, but enforcement of the second rule, the "creditor" rule was delayed until May 1, 2009.

The American Health Care Association has developed a "package" of information on the Red Flag Rules, which can be found in the four links below. These items do not constitute legal advice but do provide explanations of the two rules that apply to long term care facilities and models/templates of polices and procedures to aid providers in developing their own.

FTC will grant six-month delay of enforcement of 'red flags' rule requiring creditors to have identity theft prevention programs.

FTC Enforcement Policy: Identity Theft Red Flags Rule, 16 CFR 681.

On December 4, 2003, the President signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) into law. It added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA). In November of 2007, the group of implementing agencies issued a final rule implementing the Act. The rule is Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Joint Final Rules and Guidelines, 72 Federal Register 63718, November 9.2007. The mandatory compliance date for rule is May 1, 2009. It is only recently that the Federal Trade Commission (FTC) has indicated the applicability of the rule to the health care sector. The FTC will be the agency that enforces the rules for the health care provider.

The American Health Care Association has provided a comprehensive memorandum on the red flag rules prepared by their General Counsel, Reed Smith. The memo includes two appendices: (1) A sample form/checklist to help with compliance with the rule regarding consumer reports. (2) Illustrative examples of red flags provided in the final rule to assist with compliance with the rule covering "creditor." FHCA is also providing American Health Care's short "cover" memo to the Reed Smith document in which they summarize the key aspects of the rule.

The rule is actually three different but related rules. The first rule applies to nursing facilities and assisted living facilities (hereinafter both referred to as "facilities.") that use credit reports. The second rule, pertaining to creditors, may apply to facilities. There is some uncertainty regarding its application, and the American Health Care Association is seeking an FTC opinion. The third and last rule, involving credit cards, does not apply to facilities.

The rules are referred to as red flag rules because the meaning of the term "red flag," provided in the regulation, is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Thus, the identity theft programs must include a list of red flags pertinent to the nature, size and complexity of the entity. As facilities become familiar with the rules, in preparation for developing an identity theft program, it is advised that they review their compliance with the Health Insurance Portability and Accountability Act (HIPAA). There may be features of a facility's HIPAA compliance program that, while not substituting for an identity theft program, might nevertheless complement the identity theft program and could be useful in meeting the requirements of the red flag regulations.

FHCA will inform members immediately regarding a response that AHCA receives from the FTC on the application of the "creditor" rule. In the meantime, FHCA believes it is important for facilities to take steps towards compliance. To assist with this effort, FHCA will be providing members with a guidance being developed by the American Health Care Association and the compliance workgroup of the Long Term Care Consortium, which offers examples of red flags pertaining to the two applicable rules.

The photos and images on the www.fhca.org website are the property of Florida Health Care Association and cannot be used in any manner without FHCA permission in writing.


Home About FHCA Advancing Excellence Contact Us Emergency Preparedness Family Forum FHCA Florida Leaders Assisted Living Job Board Members Only Member Search Membership Online Store Press Center Quality Improvement Seminars/Events Sites of Interest Treasure our Elders What's New FHCA on Twitter FHCA on Facebook	Members Only (Regulatory) Identity Theft Regulations: Red Flag Rules FTC Grants Three-Month Delay of Enforcement of Red Flags Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs. Facilities need to take steps to develop and implement an identity theft program. The Identity Theft "Red Flag" rules became effective November 1, 2008, but enforcement of the second rule, the "creditor" rule was delayed until May 1, 2009. The American Health Care Association has developed a "package" of information on the Red Flag Rules, which can be found in the four links below. These items do not constitute legal advice but do provide explanations of the two rules that apply to long term care facilities and models/templates of polices and procedures to aid providers in developing their own. Memorandum on FTC Address Discrepancy Regulations: Requirement to Verify Address Only Upon Receipt of a Notice of Address Discrepancy from a Consumer Reporting Agency Memorandum Red Flag Identity Theft Regulations: Implications for Nursing Facilities and Assisted Living Facilities Model Policy Template - Policy on Administration and Oversight of Red Flag Identity Theft Prevention Program Model Policy Template - Red Flag Identity Theft Prevention and Detection Procedures FTC will grant six-month delay of enforcement of 'red flags' rule requiring creditors to have identity theft prevention programs. FTC Enforcement Policy: Identity Theft Red Flags Rule, 16 CFR 681. On December 4, 2003, the President signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) into law. It added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA). In November of 2007, the group of implementing agencies issued a final rule implementing the Act. The rule is Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Joint Final Rules and Guidelines, 72 Federal Register 63718, November 9.2007. The mandatory compliance date for rule is May 1, 2009. It is only recently that the Federal Trade Commission (FTC) has indicated the applicability of the rule to the health care sector. The FTC will be the agency that enforces the rules for the health care provider. The American Health Care Association has provided a comprehensive memorandum on the red flag rules prepared by their General Counsel, Reed Smith. The memo includes two appendices: (1) A sample form/checklist to help with compliance with the rule regarding consumer reports. (2) Illustrative examples of red flags provided in the final rule to assist with compliance with the rule covering "creditor." FHCA is also providing American Health Care's short "cover" memo to the Reed Smith document in which they summarize the key aspects of the rule. The rule is actually three different but related rules. The first rule applies to nursing facilities and assisted living facilities (hereinafter both referred to as "facilities.") that use credit reports. The second rule, pertaining to creditors, may apply to facilities. There is some uncertainty regarding its application, and the American Health Care Association is seeking an FTC opinion. The third and last rule, involving credit cards, does not apply to facilities. The rules are referred to as red flag rules because the meaning of the term "red flag," provided in the regulation, is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Thus, the identity theft programs must include a list of red flags pertinent to the nature, size and complexity of the entity. As facilities become familiar with the rules, in preparation for developing an identity theft program, it is advised that they review their compliance with the Health Insurance Portability and Accountability Act (HIPAA). There may be features of a facility's HIPAA compliance program that, while not substituting for an identity theft program, might nevertheless complement the identity theft program and could be useful in meeting the requirements of the red flag regulations. FHCA will inform members immediately regarding a response that AHCA receives from the FTC on the application of the "creditor" rule. In the meantime, FHCA believes it is important for facilities to take steps towards compliance. To assist with this effort, FHCA will be providing members with a guidance being developed by the American Health Care Association and the compliance workgroup of the Long Term Care Consortium, which offers examples of red flags pertaining to the two applicable rules. The photos and images on the www.fhca.org website are the property of Florida Health Care Association and cannot be used in any manner without FHCA permission in writing.