The Red Flags Rule

This rule is designed to deter identity theft, which is becoming a growing problem in business. Innocent victims have had their credit cards, social security numbers and other personal information used by criminals to rack up huge debts, causing major financial and legal issues for these victims.

Dentists will be required to comply with the new federal regulations, and many are asking what this will entail.

The Act

This act, created by the Federal Trade Commission, was passed in January 2008. Originally, the act was to be enforced by Nov. 1, 2008. However, due to opposition, the deadline has been extended to Jan. 1, to give creditors and financial institutions more time to implement written identify theft programs and to give congress more time to further contemplate the issue.

The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA).

The FACTA was enacted to help prevent identity theft, restore credit histories, improve consumer access to credit information, enhance the accuracy of consumer report information, limit the use and sharing of medical information in the financial system, improve financial education and protect employee misconduct.

The FACTA directed financial regulators to enact rules requiring creditors and financial institutions to implement programs identifying, detecting and responding to patterns of activity that could indicate identity theft.

The act defines financial institutions as any entity that holds a “transaction account” belonging to a consumer, and creditors as any entity that extends or renews credit (or arranges for others to do so). The term creditor includes any entity that permits deferred payments for goods or services.

Many dentists may be surprised that they fall under the description of a creditor in this act. The rule employs a broad definition for creditor. Accepting credit cards does not in itself make a business a creditor.

However, if your dental practice receives payment after your service is completed, then you are considered a creditor. In addition, if a dental practice allows installment plans, arranges for the patient to obtain credit to pay for services through a financing company or accepts insurance where the patient is ultimately responsible for payment, the practice will qualify as a creditor.

A red flag

A red flag is an event, a document or an attempted transaction that is indicative of a possible identity theft. This red flag should alert the dental practice (or other business) that someone is not who he (or she) says he is.

In the context of a medical facility, red flags may include an individual falsely claiming to be a patient known by the dental staff, an unknown person lacking personal identification or refusing to provide essential information about his/her identity, or someone unwilling to provide contact information.

In addition, discrepancies between the patient’s medical records and the patient’s physical condition should be a red flag alerting dentists and assistants of a possible identity theft.

Documents that should be considered suspicious include papers that appear to have been altered, altered or cancelled insurance cards, any notice that a patient’s information has been stolen, address discrepancies in credit reports and undeliverable mail.

Finally, any suspicious requests for a prescription or a refill, or a notice that the patient is on active duty in the military (when an individual is claiming to be that patient) should trigger a red flag alert.

How to comply with the act

These regulations require any businesses that provide credit to customers to take steps to prevent identity theft. For businesses with a low risk of identity theft, such as dental practices that know their customers personally, the FTC will release a template to help them comply with the act.

To comply with the Red Flags Rule, a dental practice is required to adopt a written policy intended to identify red flags, explain how red flags will be detected, detail procedures to be followed after detecting a red flag and create procedures describing the administration of the program, including training and evaluation of the program’s success.

In order to identify the red flags, the dental practice must be familiar with the circumstances constituting a red flag. Many of the circumstances a dentist may face that should alert the dental practice of the possibility of identity theft are detailed above.

Second, the practice must explain how the red flags will be detected and addressed. Procedures to detect red flags in the day-to-day operation of the practice should be enacted. After a red flag has been detected, written procedures addressing them must be adopted. Procedures for addressing red flags in a dental office may include contacting the patient to verify information, refusing to provide services to the patient, refusing to accept a credit card as a form of payment, monitoring patient accounts for a period of time, immediately calling the authorities or determining that no further action is necessary.

If a dental practice is notified of an actual identity theft relating to one of its patients, it is required by law to cease any efforts to collect the debt against the victim of identity theft.

Furthermore, if a dental office obtains a credit report on a patient that lists a home address that differs from the address on file, the office must make all reasonable attempts to verify the correct home address. If the address is verified and is different from the one listed on the credit report, the office must report this to the credit agency.

The owner of the practice is responsible for implementing the program and ensuring that it is implemented in the practice. An office member may administer the program as long as the owner oversees the operation. Any red flag should be reported to the administrator and should be recorded in a log.

All staff members should be given a copy of the written program and must be trained to spot these issues and to follow the program’s steps. The Red Flags Rule does require annual evaluation of the practice’s program.

Enforcement

Although no criminal penalties will be imposed on a party for failure to comply with the Red Flags Rule, civil penalties of up to $2,500 per violation will be imposed on dentists who are found to have violated the act.

Conclusion

Many dentists are concerned about the implementation of the Red Flags Rule as they have never experienced an issue of identity theft and would like to avoid the expense of complying with this act.

Dentists do not want implementation to interfere with the personal, trusting dentist/patient relationships that they have worked so hard to foster.

The FTC has responded to these arguments, stating that the Red Flags Rule is intended to be flexible and that a red flags plan for a dental office is only required to address issues that a dental practice encounters in its operation.

At this point, it is uncertain exactly how the FTC will move forward on this issue.

However, rest assured that some version of the Red Flags Rule will be implemented and every dental office (large or small) must be prepared.

Stuart J. Oberman, Esq., has extensive experience in representing dentists during dental partnership agreements, partnership buy-ins, dental MSOs, commercial leasing, entity formation (professional corporations, limited liability companies), real estate transactions, employment law, dental board defense, estate planning and other business transactions that a dentist will face during his or her career. For questions or comments regarding this article, visit www.gadentalattorney.com.