Red Flag Rules – August 1st Enforcement Date Extended Until November 1st

April 30, 2009

On July 29th, the FTC extended the enforcement date for its Red Flag Rules (the “Rules”) from the already extended of August 1st, 2009 to November 1st, 2009.

While the FTC typically publishes regulations applicable to business corporations, banks and credit institutions, the Rules apply broadly to many organizations, including many educational institutions and health care providers.

The focus of the Rules is the detection, prevention and mitigation of identity theft.  If an institution is a “creditor” which offers or maintains a “covered account” for “personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…” or offers or maintains any other account which may be vulnerable to identity theft, then the Rules apply.  The FTC has provided a detailed analysis to the American Medical Association on the applicability of the Rules to physicians.  Also, the FTC has issued news releases regarding the applicability of the Rules to health care providers and colleges and universities.

Once your organization determines that the Rules apply,  a risk assessment is required to determine how the creditor’s accounts are opened and accessed and whether identity thefts have previously occurred or been attempted.  This assessment assists the organization to determine its account vulnerabilities.

Colleges and universities which offer extended tuition payment plans or participate in federal student loan programs are “creditors” and must establish a compliance policy addressing, in particular, risks which may occur in the processing of student information.  Similarly, health care providers must address issues like careful review of patient identifying information upon intake and admission, requests for address changes and verification of a patient’s identity prior to disclosing personal information.

Following a risk assessment, a program must be established to address the identified risks.  The program must serve to detect, prevent and mitigate further occurrences of identity theft with respect to covered accounts.

The FTC recognizes that such programs will differ depending on the size, complexity and business of the organization.  Additionally, the FTC recognizes that organizations already may have existing policies and procedures which serve to detect, address and control some foreseeable risks.  For example, health care providers with effective HIPAA security compliance programs in place, may review those policies as a beginning point to determine their applicability to the prevention, detection and mitigation of identity theft.  The FTC notes that these “Red Flags” programs are not static and should incorporate periodic re-examination of risks and procedures to address them.

All of these programs must have “buy-in” at the board level and a senior level employee must be responsible for program oversight.  Staff require training to understand the organization’s specific risks and the procedures for mitigating and preventing such risks.

The Federal Trade Commission’s website contains various documents which will assist an organization to comply with the Red Flag Rules.