Waving the Red Flag for the FACT Act
Wednesday, November 11, 2009
By now, unless they have been hibernating, all United States
dermatologists should be aware of a relatively new law called the
Fair and Accurate Credit Transactions (FACT) Act, as well as the
so-called 'Red Flag Rules', which require creditors to establish a
program in order to prevent identity theft.
The FACT ACT was originally scheduled to take effect in May
2009, but was postponed until August, and again until November.
With several organizations threatening litigation, further
postponements are possible; but, barring a bureaucratic miracle,
sooner or later doctors' practices will have to comply with it.
The law was originally aimed at financial institutions, but the
Federal Trade Commission (FTC) subsequently decided it could also
apply to any group that could be considered to be a 'creditor',
defined as "any entity that regularly extends, renews, continues
credit or arranges for the extension of credit."1,2
This definition includes any medical practice where "... [the
provider] does not regularly demand payment in full for services or
supplies at the time of service."1,2 In other
words, if you routinely charge patients for any portion of your
fees, including the portions that are not paid for by insurance
carriers, you are considered a creditor under the FACT
In order to comply with the law, the FTC states that you must
develop a program that allows you to do the
1. The security program must include reasonable
policies and procedures to recognize the red flags of identity
theft you may run across in the day-to-day operation of your
2. The security program must be designed to detect the
red flags you've identified.
3. The program must spell out appropriate actions
you'll take when you detect red flags.
4. Because identity theft is an ever-changing threat,
you must address how you will re-evaluate your Program periodically
to reflect new risks from this crime.
What is a 'Red Flag'?
Basically a Red Flag is a warning sign. They should alert
clinical practice staff to suspicious activity that might indicate
identity theft. The FTC guidelines list five categories of warning
signs that should be acknowledged and addressed1:
1. Alerts, notifications, or warnings from a
consumer reporting agency or any entity that performs services on
your 'covered accounts'. For example:
- Fraud or active duty alert on a credit report.
- A notice of credit freeze in response to a request for a credit
- A notice of address discrepancy provided by a credit reporting
- A credit report indicating a pattern of activity inconsistent
with the person's history - for example, a big increase in the
volume of inquiries or the use of credit, especially on new
accounts; an unusual number of recently established credit
relationships; or an account that was closed because of an abuse of
2. Suspicious documents, such as:
- Identification that looks altered or forged.
- The person presenting the identification doesn't look like the
photo or match the physical description.
- Information on the identification that differs from what the
person presenting the identification is telling you or doesn't
match with other information, like a signature card or recent
- An application that looks like it's been altered, forged, or
torn up and reassembled.
3. Suspicious personal identifying documents,
for example an address, telephone number or date of birth not
4. Suspicious activity relating to a 'covered
account'; for example, when an inactive account that has not been
used in some time suddenly becoming active again.
5. Notices from customers, victims of identity
theft, law enforcement authorities, or other groups about possible
identity theft in connection with 'covered accounts'.
What is a 'Covered Account'?
A covered account is any financial account used mainly for
personal purposes that involves multiple payments or transactions,
for which there is a foreseeable risk of identity theft.
Essentially, any open billing account is considered a covered
The FTC is devoting particular attention to medical billing
accounts, because the theft of a patient's information to
fraudulently obtain medical care can cause a variety of serious
problems over and above those usually associated with identity
theft. These problems can include exhaustion of the victim's health
benefits and a potentially life-threatening corruption of medical
How Does This Affect my Practice?
The new law requires doctors to develop a written program,
appropriate to the size and complexity of their practice, spelling
out Red Flags, their anticipated responses to them, and the
preventive actions they plan to take if there has been a breach or
attempted breach of their database. The program should include an
outline of appropriate staff training, and a plan for monitoring
staff to ensure that they are all following the program.
The program must be updated periodically to reflect the changes
in patient security risks; this will ensure that the program
remains current and relevant as methods of identity theft
If you employ a billing service and/or a collection agency, or
any other outside entity that has access to your covered accounts,
you must also take appropriate measures to ensure that their
activities are conducted using a reasonable security program
against identity theft. This could be done either by amending your
existing Health Insurance Portability and Accountability Act
(HIPAA) Business Associate Agreements or through separate written
Some states have their own additional rules and requirements,
which might need to be incorporated into your security program. It
is advisable to check with the relevant agencies in your state
regarding this possibility.
Do I Need to Act Now?
Violations of the Red Flag Rules can subject your practice to
significant penalties, particularly if a patient's identity is
stolen when theft could have been prevented by a
The good news is that the exercise is not as onerous or
time-consuming as many might assume. The law allows great
flexibility, and so if you determine that your practice has a
low-risk of identity theft, developing a program should be simple
and straightforward, with only a few Red Flags to identify and
The American Medical Association, as well as other groups,
continue to insist that they are working to convince the FTC that
physicians should not be included in the Red Flag Rules program.
But at the time of this article being published, such efforts
appear to be a long shot. So, for the time being, it is necessary
for you to be prepared before the current 1 November 2009
Several organizations have posted information online to assist
medical practices and other businesses in developing their own
- The California Society of Municipal Finance Officers
provides template documents that can be modified
to fit most dermatology offices.
- The American Academy of Dermatology has more detailed information.
- The American Medical Association has an excellent sample document.
- Federal Register / Vol. 72, No. 217, Friday, November 9, 2007
/ Rules and Regulations. Accessed August
- Federal Trade Commission. Fighting Fraud with the Red Flags Rule: A How-To
Guide for Business. Accessed August 2009.