HMFA logoMetroLines
Home

April 2009

President's Message

Letter from the Editors
Featured Articles
Richard B. Ellis Scholarship Award
More News
HFMA & HLNDV Joint Program
New Members
Membership Renewal
Get Published
Photo Gallery
Support Our Sponsors
WithumSmith+Brown
PSC Info Group
Besler Consulting
 



THE FTC'S RED FLAGS RULE AND THE IMPACT ON HEALTH CARE PROVIDERS - CONTINUED

guidelines which are appropriate.  Each Program must include reasonable policies and procedures on four required elements.  Additionally, health care providers and institutions should integrate HIPAA privacy and security compliance programs and other identity theft policies and procedures already in place.

1.  Identifying Red Flags.  Creditors must identify Red Flags and incorporate them into the Program.  The Guidelines list risk factors to be considered as part of that process as well as twenty-six examples of Red Flags.  Providers and institutions also should consult guidance prepared by medical and other organizations focused on the problems of medical identity theft. 

2.   Detecting Red Flags.  Policies and procedures implemented through the Program should address detecting Red Flags both in connection with opening new covered accounts and maintaining existing covered accounts. 

3.  Responding to Red Flags.  A critical element of any Program will be the policies and procedures regarding the creditor’s response to detected Red Flags.  The regulations require an “appropriate” response to prevent and mitigate identity theft. 

4.  Periodic Updating.  To be effective, the Program must include procedures to periodically update the Program to reflect changes in risks to patients and to the safety and soundness of the creditor from identity theft.

 




In addition to the four core elements, the Red Flags Rule includes requirements for the administration of the Program.  First, the initial written Program must be approved by either the company’s Board of Directors or an appropriate committee of the Board of Directors.  Additionally, the Board, an appropriate committee or a designated member of senior management of the company must be involved in the oversight, development, implementation and administration of the Program.  Third, the creditor must train staff, as necessary, to implement the Program.  Finally, the Red Flags Rule requires that covered entities exercise “appropriate and effective oversight” of service providers engaged to provide services in connection with covered accounts. 

On October 22, 2008, the FTC suspended enforcement of portions of the Red Flags Rule until May 1, 2009 (a six month delay from the November 1, 2008 original compliance deadline), in order to provide additional time for covered entities to develop and implement their Programs.  It is important to note that this delay only affects FTC’s own enforcement activities -- creditors may have liability exposure if they are not yet in compliance with the requirements of the Red Flags Rule.  It remains to be seen whether any additional guidance or clarification regarding the issue of health care providers as “creditors” will be forthcoming from the FTC.  In the meantime, it is advisable for health care providers and institutions to continue (or begin) developing and implementing a written identity theft prevention program in time for the May 1, 2009 deadline.

Written by:
Rebekah A. Z. Monson, a Senior Attorney in the Health Care Services Practice Group of Pepper Hamilton LLP
215.981.4031
monsonr@pepperlaw.com

PREVIOUS PAGE     

 

 
SPONSORS
President's Club
McBee Associates
Bank of America
Gold
Silver
Kaufmann Hall
PSC Info Group
WithumSmith+Brown
Bronze
Apollo Health Street
DGA Partners
Kreg Information Systems
Parente Randolph
PATHS, LLC
 
2009 Copyright, All Rights Reserved, HFMA Metropolitan Philadelphia Chapter - Healthcare Financial Management Association