There has been a flurry of activity in the past month to address a new privacy compliance issue that has taken many health care organizations by surprise -- The Federal Trade Commission's "Red Flag" regulations or "Red Flag Rule." The Red Flag Rule (16 C.F.R. Part 681) requires companies to "develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account." Organizations that are subject to the Rule must have an ID Theft Prevention Program in place by November 1, 2008.
While it has been clear for some time that the Red Flag Rule applies to banks and certain other financial institutions, it was less clear how it might apply to health care organizations. The FTC recently clarified that the Red Flag Rule applies to ANY entity that functions as a "creditor" by allowing deferred payment for services that are utilized by an individual for personal, household or family purposes. When a hospital or medical group permits a patient to pay for services over time, that hospital or medical group becomes a "creditor" within the meaning of the Red Flag Rule.
Developing an Identity Theft Prevention Program does not have to be terribly burdensome, and organizations that are subject to HIPAA have probably implemented many measures that are consistent with the Red Flag Rule. Many program measures are simple common sense. For health care providers, one of the primary means of reducing the risk of identity theft is to obtain sufficient verification of the patient's identity at the point of service, such as requesting a driver's license or other photo ID.
However, the Rule does contain a number of specific requirements for ID theft prevention programs, and most organizations will need to develop additional processes, and take additional steps, to comply. For example, the finalized ID Theft Prevention Program must be approved by the organization's board of directors, or a subcommittee of the board. In addition, a healthcare organization must conduct an assessment of its risk factors for identity theft, and identify the identity theft "red flags" that are applicable to their operations, such as a suspicious address change or a notice from a patient that they have been a victim of identity theft.
In short, if your organization has not yet considered whether it is subject to the Red Flag Rule, then now is the time to do so. November 1 is fast approaching ….