Raising The Red Flag: Will You Be Ready On November 1?

June 24, 2011
There has been a flurry of activity in the past month to address a new privacy compliance issue that has taken many health care organizations by

There has been a flurry of activity in the past month to address a new privacy compliance issue that has taken many health care organizations by surprise -- The Federal Trade Commission's "Red Flag" regulations or "Red Flag Rule." The Red Flag Rule (16 C.F.R. Part 681) requires companies to "develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account." Organizations that are subject to the Rule must have an ID Theft Prevention Program in place by November 1, 2008.

While it has been clear for some time that the Red Flag Rule applies to banks and certain other financial institutions, it was less clear how it might apply to health care organizations. The FTC recently clarified that the Red Flag Rule applies to ANY entity that functions as a "creditor" by allowing deferred payment for services that are utilized by an individual for personal, household or family purposes. When a hospital or medical group permits a patient to pay for services over time, that hospital or medical group becomes a "creditor" within the meaning of the Red Flag Rule.

Developing an Identity Theft Prevention Program does not have to be terribly burdensome, and organizations that are subject to HIPAA have probably implemented many measures that are consistent with the Red Flag Rule. Many program measures are simple common sense. For health care providers, one of the primary means of reducing the risk of identity theft is to obtain sufficient verification of the patient's identity at the point of service, such as requesting a driver's license or other photo ID.

However, the Rule does contain a number of specific requirements for ID theft prevention programs, and most organizations will need to develop additional processes, and take additional steps, to comply. For example, the finalized ID Theft Prevention Program must be approved by the organization's board of directors, or a subcommittee of the board. In addition, a healthcare organization must conduct an assessment of its risk factors for identity theft, and identify the identity theft "red flags" that are applicable to their operations, such as a suspicious address change or a notice from a patient that they have been a victim of identity theft.

In short, if your organization has not yet considered whether it is subject to the Red Flag Rule, then now is the time to do so. November 1 is fast approaching ….

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?