More Opinions on Practice Management

The decision to add laser procedures to your current practice can be daunting yet exciting. Realistically, this is unlike Field of Dreams, as patients do not materialize just because you have a new laser. Certain questions are important to answer in making this decision.

Read more

The largest asset on your balance sheet is almost certainly, believe it or not, accounts receivable. Collecting balances due has always been a problem for physicians.

Read more

The word "volunteer" is unusual in that it may be used as a noun, verb, or adjective. As a noun, it identifies a person who performs a service of his or her own free will, and, importantly, as a verb, it means to do charitable or helpful work without pay.

Read more

Film is dead, it has gone the way of the daguerreotype and calotype. As DVDs have replaced VHS, digital cameras have replaced film cameras and for pretty much the same reason; digital cameras are easier to use.

Read more

Opinions on Practice Management

Joseph S. Eastern, MD, FAAD

Waving the Red Flag for the FACT Act

Joseph S. Eastern, MD, FAAD

Wednesday, November 11, 2009

By now, unless they have been hibernating, all United States dermatologists should be aware of a relatively new law called the Fair and Accurate Credit Transactions (FACT) Act, as well as the so-called 'Red Flag Rules', which require creditors to establish a program in order to prevent identity theft.

The FACT ACT was originally scheduled to take effect in May 2009, but was postponed until August, and again until November. With several organizations threatening litigation, further postponements are possible; but, barring a bureaucratic miracle, sooner or later doctors' practices will have to comply with it.

The law was originally aimed at financial institutions, but the Federal Trade Commission (FTC) subsequently decided it could also apply to any group that could be considered to be a 'creditor', defined as "any entity that regularly extends, renews, continues credit or arranges for the extension of credit."1,2

This definition includes any medical practice where "... [the provider] does not regularly demand payment in full for services or supplies at the time of service."1,2 In other words, if you routinely charge patients for any portion of your fees, including the portions that are not paid for by insurance carriers, you are considered a creditor under the FACT Act. 

In order to comply with the law, the FTC states that you must develop a program that allows you to do the following2:

1.   The security program must include reasonable policies and procedures to recognize the red flags of identity theft you may run across in the day-to-day operation of your business.
2.   The security program must be designed to detect the red flags you've identified.
3.   The program must spell out appropriate actions you'll take when you detect red flags.
4.   Because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

What is a 'Red Flag'? 

Basically a Red Flag is a warning sign. They should alert clinical practice staff to suspicious activity that might indicate identity theft. The FTC guidelines list five categories of warning signs that should be acknowledged and addressed1:

1.   Alerts, notifications, or warnings from a consumer reporting agency or any entity that performs services on your 'covered accounts'. For example:

  • Fraud or active duty alert on a credit report.
  • A notice of credit freeze in response to a request for a credit report.
  • A notice of address discrepancy provided by a credit reporting agency.
  • A credit report indicating a pattern of activity inconsistent with the person's history - for example, a big increase in the volume of inquiries or the use of credit, especially on new accounts; an unusual number of recently established credit relationships; or an account that was closed because of an abuse of account privileges.

2.   Suspicious documents, such as:

  • Identification that looks altered or forged. 
  • The person presenting the identification doesn't look like the photo or match the physical description.
  • Information on the identification that differs from what the person presenting the identification is telling you or doesn't match with other information, like a signature card or recent check.
  • An application that looks like it's been altered, forged, or torn up and reassembled.

3.   Suspicious personal identifying documents, for example an address, telephone number or date of birth not recorded accurately.
4.   Suspicious activity relating to a 'covered account'; for example, when an inactive account that has not been used in some time suddenly becoming active again. 
5.   Notices from customers, victims of identity theft, law enforcement authorities, or other groups about possible identity theft in connection with 'covered accounts'.

What is a 'Covered Account'? 

A covered account is any financial account used mainly for personal purposes that involves multiple payments or transactions, for which there is a foreseeable risk of identity theft. Essentially, any open billing account is considered a covered account.

The FTC is devoting particular attention to medical billing accounts, because the theft of a patient's information to fraudulently obtain medical care can cause a variety of serious problems over and above those usually associated with identity theft. These problems can include exhaustion of the victim's health benefits and a potentially life-threatening corruption of medical records.

How Does This Affect my Practice?

The new law requires doctors to develop a written program, appropriate to the size and complexity of their practice, spelling out Red Flags, their anticipated responses to them, and the preventive actions they plan to take if there has been a breach or attempted breach of their database. The program should include an outline of appropriate staff training, and a plan for monitoring staff to ensure that they are all following the program.

The program must be updated periodically to reflect the changes in patient security risks; this will ensure that the program remains current and relevant as methods of identity theft change.

If you employ a billing service and/or a collection agency, or any other outside entity that has access to your covered accounts, you must also take appropriate measures to ensure that their activities are conducted using a reasonable security program against identity theft. This could be done either by amending your existing Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreements or through separate written contracts.

Some states have their own additional rules and requirements, which might need to be incorporated into your security program. It is advisable to check with the relevant agencies in your state regarding this possibility.

Do I Need to Act Now?

Violations of the Red Flag Rules can subject your practice to significant penalties, particularly if a patient's identity is stolen when theft could have been prevented by a properly-implemented program.

The good news is that the exercise is not as onerous or time-consuming as many might assume. The law allows great flexibility, and so if you determine that your practice has a low-risk of identity theft, developing a program should be simple and straightforward, with only a few Red Flags to identify and address. 

The American Medical Association, as well as other groups, continue to insist that they are working to convince the FTC that physicians should not be included in the Red Flag Rules program. But at the time of this article being published, such efforts appear to be a long shot. So, for the time being, it is necessary for you to be prepared before the current 1 November 2009 deadline.


Several organizations have posted information online to assist medical practices and other businesses in developing their own programs.

  • The California Society of Municipal Finance Officers provides template documents that can be modified to fit most dermatology offices.
  • The American Academy of Dermatology has more detailed information.
  • The American Medical Association has an excellent sample document.


  1. Federal Register / Vol. 72, No. 217, Friday, November 9, 2007 / Rules and Regulations. Accessed August 2009.
  2. Federal Trade Commission. Fighting Fraud with the Red Flags Rule: A How-To Guide for Business. Accessed August 2009.