Articles August 1, 2014

Identity Theft & Health Care & Financial Fraud Drive New FTC Security Rules

By Stuart E. Hoffman, DC, FICA
ChiroSecure President

Identity theft is a growing reality perpetrated by an increasingly sophisticated and organized criminal industry, costing billions and disrupting the lives of millions of Americans. According to a report of the President’s Identity Theft Task Force, identity theft, defined as a fraud attempted or committed using identifying information of another person without authority, results in billions (one source estimated $56 billion in the US alone) in losses each year to individuals and businesses. Health care facilities, including chiropractic practices, are a widely recognized potential source of vital personal data that might easily be misdirected and abused. The security and confidentiality of that data has loon been a paramount concern of responsible practitioners.

For years, the security, confidentiality and accountability rules in force under the HIPAA program have been a reality with which all chiropractic practitioners have been obliged to deal. The US Department of Health and Human Services (HHS) issued those patient privacy protections pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The first and until recently, the only comprehensive federal privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003.

Developed and enforced by HHS, HIPAA standards provide patients with access to their health care records and more control over how their personal health information is used and disclosed. The regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. Doctors of chiropractic in the United States are covered under this law. Materials and technical direction for providers and businesses to help them to implement HIPAA privacy protections are available at

The HIPAA rules are reasonable and so far, their enforcement has been fair and directed at protecting the consumer, and not in any way extended into a witch hunting mechanism against providers. Let’s hope it stays that way.

In a new security and confidentiality effort, the Federal Trade Commission (FTC) and the federal financial institution regulatory agencies have published formal national rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, legislation intended to help prevent identity theft and resulting fraud and financial theft that inevitably follows. Originally scheduled to go into full effect, with federal agencies beginning enforcement on May 1, 2009, because of confusion over just what entities and businesses are covered, FTC enforcement was postponed until August 1, 2009. This additional delay is intended to help businesses to develop and implement written identity theft prevention programs. While active nationwide enforcement by the FTC has been postponed, businesses and other covered entities are still expected to be in compliance and might be held liable for security breeches which, according to the new rules, they should have prevented.

The new FTC rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:


  • Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
  • Detect red flags that have been incorporated into the Program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the Program is updated periodically to reflect changes in risks from identity theft.


The new FTC Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. In this age of credit cards and payment plans, it seems quite clear that most chiropractic practices are covered and it is in every practitioner’s best interest to familiarize themselves with these rules and act accordingly. To help, the FTC has published an information and implementation manual titled, Fighting Fraud with the Red Flags Rule: A How-To Guide for Business. This document is intended to help you:


  • Find out if the rule applies to your business or organization;
  • Get practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts; and
  • Learn how to put in place your written Identity Theft Prevention Program.


This guide is available online at:

The FTC believes that by identifying red flags in advance, you’ll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule.

As with everything having to do with the security, integrity and safety of your practice, a little prevention effort is worth so much more than the mass of clean-up that a security-breech cure will certainly involve.

Patient Data Security is a Real Practice Concern

It is easy to minimize or even dismiss your personal responsibilities under these new rules, and it is true that the odds of serious issues arising are small. Still, for those confronted with major security incidents, the problems are expensive, tremendously time consuming and can disrupt your normal practice operations for many months. The risk of data loss has been exponentially increased by new computer technology and the emergence of small computers, lap-tops and even hand-held data storage devices that allow for the storage of great amounts of information in tiny pieces of equipment, and unprecedented portability of those devices and the data they contain.

In recent months, we have been called upon to assist policy holders who have had masses of patient data compromised when lap-top computers, one in an office and one in the doctor’s car, were stolen. Those unfortunate victims have been obliged to mount wide-spread damage control programs that include both written notification to all patients whose information was compromised as well as offering to pay for assistance from a credit protection service to those patients who might have credit or identity issues as a result. It can even be worse, if those patient records are not backed up in a secure copy in another location. Imagine trying to address billing and payment issues, not to mention audit and contested payment and care delivery issues by third-party payers, with no records. This is a nightmare no doctor of chiropractic should ever have to deal with, so always back up your data, a process that will serve to protect you and your practice from everything from computer failures to criminal actions, fire or other natural disasters.

As in almost every dimension of sound practice management, common sense and an awareness of the rules under which you must operate can save you a lot of unnecessary and preventable trouble. Likewise, a reliable malpractice insurance partner can help you prevent unwanted issues before they even emerge, as well as stand by you when they occur. And, make no mistake, they do occur.