Red Flags Rule extension proliferates medical identity theft

October 30, 6:48 PMIdentity Theft ExaminerJoe Campana

Previous Next

2 comments Print Email RSS Subscribe

Subscribe

Get alerts when there is a new article from the Identity Theft Examiner. Read Examiner.com's terms of use.

Email Address   Include other special offers from Examiner.com Terms of Use

For a fourth time, the Federal Trade Commission (FTC) has delayed enforcement of the Red Flags Rule, an identity theft law--now until June 1, 2010. The FTC announcement came late this afternoon. The Red Flags Rule is a law intended to help control the spread of identity theft.

The rule was scheduled to be enforced for millions of businesses on November 1, 2008, but FTC enforcement has been extended on four separate occasions.  The rule has been in effect for those financial institutions regulated by federal banking and credit union authorities since the original deadline. There has been controversy surrounding enforcement of the rule for other types businesses regulated by the FTC.

Under the law, businesses that allow customers to purchase goods or services on credit must take reasonable and appropriate steps to authenticate that they are extending credit to a real person and not an identity thief.

Identity thieves can run up credit of all types. They leave consumer and business victims responsible for covering incurred charges.  This includes medical services when they are obtained fraudulently under the pretext of a public or private reimbursement to the medical service provider. The Red Flags Rule is an outcome of revisions to the Fair Credit Reporting Act (FCRA). The revisions to FCRA are known as the Fair and Accurate Credit Transactions Act of 2003.

Controversy over the Red Flags Rule has been growing since its inception. Initially the FTC extended the deadline to give small businesses additional time to comply.  The FTC has been proactive by sponsoring outreach workshops around the nation to educate small businesses on the meager and common sense requirements of the new law. Recently the FTC published materials so most small business, especially those at lower risk, could readily comply.

Last year the American Medical Association began to contest the applicability of the Red Flags Rule to medical practices, and other industry and trade groups followed suit including the American Bar Association that wanted lawyers exempt from the law. 

On October 20, 2009 Congress briefly debated excluding certain small businesses--small health care practices, law offices and accounting firms from the definition of creditors under the Red Flags Rule.

A bill, HR 3763, characterized as bipartisan by sponsors John Adler, a Democrat representing New Jersey and four Republican House members including two medical doctors Ron Paul (R-TX) and Paul Broun (R-GA) proposed to limit the Red Flags Rule by excluding medical practitioners and others. The bill unanimously passed the house (400-0) and has been referred to the Senate Committee on Banking, Housing and Urban Affairs for action.  The legislation appears to be stalled in the Senate.

The bill excludes health care, accounting and legal practices with 20 or fewer employees.  Additionally, any business that knows all of its customers or clients individually; performs services in or around the residences of its customers; or has not experienced incidents of identity theft and identity theft is rare for businesses of that type may also apply for exclusion according to the house resolution.  These exemptions may appear logical to those who are not familiar with the many variations of identity theft. 

It appears that the coalitions of health care led by the American Medical Association and legal professionals led by the American Bar Association won out over what many consumers would consider a common sense law. The law is intended to prevent both consumers and businesses from becoming  victims of identity theft.  The Red Flags Rule could be instrumental in curbing the rampant growth of medical identity theft.

On the house floor, Representative Adler, the sponsor of the bill, plead that the law is a burden to small business in these troubled economic times.

Adler said, “American small businesses are struggling. They are often forced to comply with burdensome regulations that significantly increase their expenses. I am committed to helping small businesses, because the key to our economic recovery is tied to their ability to thrive. Today, my bill will clarify the intention of past legislation so that it isn't blindly enforced against America's small businesses.”

He went on to say, [the] “common sense bill would exempt health care practices, law and accounting firms from the FTC's Red Flag Guidelines. In addition, it would create a system where the FTC has some flexibility to waive implementation of the regulations for other industries.”

Representative Simpson (R-ID) also spoke and made his appeal based on common sense and the burden on certain small businesses.  He said, “   The bill recognizes that many of our nation's small businesses, particularly health providers, are not financial institutions and therefore do not present the same level of risk as financial institutions in cases of identity theft. In fact, many of these medical and dental offices were considered creditors under the rule simply because of the fact that they are willing to work with patients on developing flexible payment plans for those patients that can't afford to pay at the time of service. Thus, this rule actually appeared to discourage efforts to improve access to care for people who can't afford to pay, which runs contrary to all of Congress's efforts, on both sides of the aisle, to improve our health system.”

Under the house bill, health care providers include a broad range of services ranging from marriage and family therapists to veterinarians.

Although health care providers are not financial institutions, they are a source of medical identity theft. Many illegal immigrants and others in need of work, government benefits and health care use social security numbers obtained illegally to work and to obtain government benefits and health care services.

There are more than 10 million illegal immigrants in the U.S., and some estimates top 20 million. This population is the major market for fake identification, which is often based on stolen identities. There are an estimated 10 million identity theft victims in the U.S. each year.

Illegal immigration has not been addressed as a part of health care reform. Until it is, the problem of illegal immigrants obtaining health care illegally by using the social security numbers of other people will persist.

When illegal immigrants and others obtain health care services by using false identities, there are multiple victims. The person whose identity was used becomes a victim, as does the medical practice. The victim may be held financially responsible and his or her medical records will be tied to those of the identity thief, which can have fatal consequences if the victim is mistreated based on the medical records of the impostor. The medical practice providing the services may not be paid for their services--that's an economic burden. If the fraudulent medical transaction is paid by an insurance company or public assistance plan (Medicare, Medicaid, Obama care, etc.), taxpayers foot the bill for the fraudulent medical services transactions.

It is common sense that all businesses large and small; medical, legal, accounting, retail, and others should take reasonable and appropriate steps to make sure they are extending credit to  real persons and not to identity thieves.  Businesses that fall prey to identity thieves lose money, and apparently aid and abet the commission of an identity theft crime when they accept false identification. A business of any size may be liable to financially, physically or emotionally harmed identity theft victims. 

During times of economic trouble, many businesses, particularly the smaller ones find they have time to address mundane business issues such as compliance, which they often put off during busy times of growth and abundance. For many businesses, today may be the ideal time to consider Red Flags Rule compliance. Businesses should also learn how Red Flags Rule compliance helps them reduce business fraud and liability.  It's common sense for businesses to want to avoid fraud and protect their customers. 

The opposition to the Red Flags Rule is a natural resistance to change. Legislators ought to take time to understand the rationale and requirements behind the Red Flags Rule before siding with industry groups by opposing it. It is ironical that law practices want to be exempted, as many will be taking the situation as an opportunity to advise and bill their business clients on how to comply with or be exempted from the Red Flags Rule. 

Although many small businesses are covered by the Red Flags Rule, it is unlikely that the Federal Trade Commission would enforce the law against the millions of small businesses covered. The FTC is already pressed to enforce many other consumer protection laws against larger organizations. However, there is merit in mandating compliance. It is likely to get a majority of ethically run businesses to consider how they can avoid being victimized by fraudulent credit transactions and how they can take steps to prevent innocent consumers from being victimized. It also gives victims of identity theft  the ability to hold rogue businesses, those that proliferate identity theft by lax credit practices, legally responsible for financial, physical and emotional damages.

The fact that the House of Representatives unanimously passed the bill suggests, that like most consumers, our elected officials do not understand how identity theft is committed, its far reaching consequences and the devastating long-term effect that it has on the victims, small businesses, taxpayers and the economy.

HR 3763 is a loss for consumers and for the potential eradication of identity theft by stopping thieves from using stolen information at the point of sale or service.