Red Flags Rules go into effect Nov. 1
ADA probes FTC on identity theft prevention compliance for dentists
Under the rules, most dentists who extend credit to or arrange credit for their patients are supposed to have a written identity theft prevention program in place by Nov. 1.
The rules, mandated by a 2003 fair-credit law and issued in November 2007, go beyond financial institutions to include all types of creditors who maintain accounts for their customers (or patients). The rules require U.S. financial institutions and creditors, including many in the health care sector, to have written programs to detect and respond to activities that could indicate that an identity theft has taken place.
The FTC staff recently issued guidance expressly stating that the rules will apply to health care providers who provide or arrange for credit. They explain that by deferring payment—for example, sending a bill or establishing a post-treatment payment plan—a health care provider is considered a creditor under the rules.
"Health care providers can be the first to spot the red flags that signal the risk of identity theft, including suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, insurance information, account numbers and birth dates to open new accounts or get medical services," FTC staffers told the ADA in a statement of initial guidance on the rules.
The rules require a written identify theft detection program with policies and procedures to identify, detect and respond to "red flags" of identity theft. Instead of providing specific examples of what the program might entail, the FTC is allowing covered entities flexibility to implement a program that best suits their businesses or organizations, as long as the program meets the rules' requirements.
In addition to the general requirements, the program must also include, among other things, a reporting mechanism to allow periodic evaluations of the efficacy of the policies and procedures. Another section of the rules specifically requires persons who obtain reports from consumer reporting agencies to be alert for address discrepancies in those reports.
The ADA Legal Division is gathering additional information to clarify when dentists are covered by the rules and what dentists must do to comply with them and notes that many dental offices may already have policies and procedures in place to verify and protect the identity and privacy of patients and may have personal experience with an identity theft. Such existing policies, procedures and real life experience can be incorporated into the required program. The program, however, must be in writing. The rules also state that it must be administered by the "board of directors," or, if there is no board, by appropriate management. For a dental practice this means an appropriate staff member.
"Many dentists have longstanding relationships with their patients and their families," said ADA Chief Legal Counsel Tamra S. Kempf. "For those types of practices, a written program with policies and procedures may simply require a staff person to identify an existing patient by sight, obtain proper identification when a new or unrecognized patient comes to the practice, verify billing or other credit information in the patient's file, and take action where discrepancies are noted. These steps should go a long way toward complying with the rules."
As the ADA Legal Division continues to gather information, the ADA News will provide more details on who is covered and how dentists can best comply with the rules in a manner appropriate for dental offices.
Additional information and guidance may be found on the FTC's Web site at: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm. A copy of the final Rules can be found at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.