Beginning tomorrow, May 1, any business that extends money, goods, or services on credit will be required to follow the Red Flag Rules. These Rules, part of the Fair and Accurate Credit Transaction Act, require businesses to take the lead in preventing the rampant crime of identity theft.
Under the Red Flag Rules, more than 11 million financial institutions and service providers – from lenders and creditors to utility service providers and even hospitals – must take extra precautions to prevent identity thieves from applying for a loan, service, or medical attention using others’ personal information. These businesses have one more day to put their plans into writing and into practice. They must have procedures in place for quickly detecting and responding to the warning signs of ID theft – before processing the loan or credit application, or extending goods and services on credit. Supervisors must train staff to follow these new procedures, and the procedures must be periodically updated to combat the latest fraudulent methods and techniques. In short, businesses must prove that they are on perpetual high alert for signs of ID theft.
What are Red Flags?
Red flags can include a fraud alert or credit freeze placed on a consumer’s credit report, altered or forged documents, lack of correlation between Social Security number range and date of birth, and the list goes on. Some of the warning signs seem fairly obvious, but the new law requires businesses to not just identify these flags, but also take immediate action against them – before the credit or service is issued. Identity Theft 911’s latest newsletter provides additional useful information on becoming Red-Flag-Rules compliant.
Mixed response to the Rules from the healthcare community
The American Medical Association and over 20 other medical societies are protesting the new government-mandated requirement. They feel that the Rules should be limited to financial institutions, utility companies, auto lenders, and other true “creditors.” But the FTC argues that medical providers are creditors too, since they extend healthcare services to patients before collecting payment. And with 373,000 victims of medical identity theft each year, it seems sensible to require medical providers to do their part in preventing the crime.
Amidst the grunts and groans about the new government-mandated requirement, there are medical offices that are finding the Rules easier to implement than they originally thought. Often, simply tweaking privacy practices already in place through HIPAA (Health Insurance Portability and Accountability Act) will make an office Red-Flag-Rules compliant.
As Janet Compagna of Pediatric Healthcare Associates says, “Your first reaction when you hear about it is ‘This is more work, and who’s going to do it?’ But once you start peeling back the layers of that onion, I think you’ll find that these rules really are just an enhancement of HIPAA. If you have a good HIPAA program in place, you don’t have to start from scratch.”
Of course, time will tell how effective the Rules really are in curbing ID theft, what wrinkles need to be ironed out in their implementation, and how strictly the FTC enforces compliance. As a patient, a consumer, or a borrower, you may experience an additional level of scrutiny before receiving medical care or credit. But know that it’s ultimately for your protection.