Ask the legal expert: assessing the impact of "Red Flag Rules"
Attorney John Durso, Ungaretti & Harris LLP
To combat identity theft, the Federal Trade Commission has implemented the “Red Flags Rules.” These rules require certain covered entities to
create a program to defend against potential identity theft.
The Red Flags Rules apply to a creditor's covered accounts. The FTC uses a broad definition of creditor, which includes any party that allows the right to purchase services and defer payment for those services. All long-term care facilities that use deferred payment or billing systems are considered creditors. Covered accounts include any account either designed to permit multiple payments or where there is a reasonably foreseeable risk of identity theft to the customer. Any resident billing account will constitute a covered account. Therefore, most long-term care facilities are considered creditors providing covered accounts that must comply with the Red Flags Rules.
The Red Flags Rules require covered long-term care facilities to implement a written identity theft prevention program by August 1, 2009. The program should be appropriate to the size and complexity of the company, must be approved by the board of directors and should contain reasonable procedures to identify, detect, and respond to warning signs that identity theft could be a concern. Recommended steps include assembling a risk assessment team, updating and overseeing the program, and overseeing service provider arrangements.
For most facilities, the identify theft prevention policy will be a fairly simple document indicating how identify theft threats will be identified and how to address instances of suspected identity theft.