|
|
 |
 |
 |
|
| |
Q: Do the FTC's "Red Flag Rules" apply to Health Care Providers?
|
|
|
|
|
| |
A:
Medical practices are sometimes a target for security breaches of personal information (address, date of birth, social security number, etc., of a patient), financial information (patient's bank account numbers, credit card numbers, etc.) and medical records (medications, HIV status, mental health or addiction issues, etc.). The move to electronic filing systems and new technologies that automate certain functions of the medical visit expose this sensitive information to the threat of theft or misuse. As a result, the Federal Trade Commission (FTC) has initiated "Red Flag Rules" that are meant to prevent or limit damages caused by theft of personal information.
The FTC requires financial institutions and other creditors to create written identity theft prevention programs designed to prevent, detect, and mitigate the effects of identity theft. These regulations are applicable to health care providers that offer financing or payment plans. The written identity theft program must contain policies that identify "red flags," including relevant patterns, practices and/or activities that potentially implicate identity theft, detect the "red flags" that are identified in the program, respond to "red flag" incidents that are detected in order to prevent and mitigate the effects of identity theft; and ensure that the program is reviewed and updated periodically in order to adjust to changing and developing identity theft risks.
The incidents or activities that constitute "red flags" of identity theft will vary based upon the size of the medical practice. Medical entities may find that their red flags will fall under some or all of the following categories: 1) alerts received from a consumer credit reporting agency; 2) suspicious documentation that appears to be altered or inconsistent with other documents on file; 3) suspicious personal identifying information, such as multiple addresses; 4) unusual or suspicious use of or access to a patient's covered account; or 5) notification from patients or law enforcement authorities indicating suspected or actual identity theft.
The FTC has the authority to impose a penalty of $3,500 per incident of a knowing violation of the Rules. At the request of "Members of Congress", the Federal Trade Commission is delaying enforcement of the "Red Flags" Rule until June 1, 2010. The rule was set to take effect November 1, 2009. Another bill currently making its way through Congress, HR 3763, may explain the delay in the FTC’s Red Flags Rule enforcement.
|
|
|
|
|
|
|
|
