May 1st is the official date on which the Federal Trade Commission (FTC) will begin enforcing its Red Flag Rules, which requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or "red flags" – of identity theft in their day-to-day operations. Do these Red Flag Rules apply to you? If you are a health care provider, the answer is “Yes,” except in limited circumstances. The good news is that compliance is scaleable, meaning that your Identify Theft Program may be commensurate with the size and complexity of your organization (presumably, that is in turn, commensurate with the risk of identity theft involved). Even for larger providers, rolling out a simple but effective program can be done quickly and efficiently.
On the question of applicability, simply put, these rules apply to you as a health care provider if you are a “creditor” which offers or maintains “covered accounts.” A “creditor” is an entity which regularly accepts deferred payment for goods or services. A “covered account” is a consumer account that permits multiple payments or any other account for which there is a reasonably foreseeable risk of identity theft. Health care providers are viewed as “creditors” primarily because they routinely defer payment for services in order to bill the patient’s insurance company, or to later bill the patient pursuant to a payment plan. Furthermore, patient billing and medical records generally contain personal identifiers, including financial information, which would satisfy the catch-all definition of “covered accounts.”
Fortunately, there are many resources out there for those who find themselves in need of a quick fix. Both the AMA (www.ama-assn.org) and the AHA (www.aha.org) have sample form policies and other resources available on their websites. Last month the FTC issued its guide, “Fight Fraud with the Red Flag Rules: A How-To Guide for Business” which is available on its website at www.ftc.gov. Also, the regulations themselves include an appendix which identifies a number of examples of potential red flags. Be careful not to cram your square peg into a round hole; form policies are not “one size fits all”, and you will need to tailor any standardized form to fit your needs. The goal is to come up with a program that establishes a reasonable program for identifying, detecting and responding to potential “red flags” of identity theft.
A simple five step approach will get you where you need to be, or at least well on your way, as quickly as possible.1. Put someone in charge. Maybe it should be your Privacy or Security Officer; maybe it should be your Accounts Manager. Look at the size and complexity of your organization and ask yourself, who knows the most about our accounts, our information gathering, and our billing?
This alert is intended to be a “last call” for compliance; the FTC’s enforcement date is fast approaching and with some quick guidance you still have time to meet the compliance deadline. Please feel free to contact us if you have any further questions about compliance with the Red Flag Rules or if you would like help fine tuning your program. Remember, an effective Identity Theft Program is not just necessary to comply with the FTC’s Red Flag Rules; it is also good business.