Red Flag Rule Enforcement Buys More Time for Providers
The Federal Trade Commission (FTC) will suspend enforcement of the new Red Flags Rule until May 1, 2009. This gives financial institutions and creditors (as well as medical practices) additional time to implement written identity theft prevention programs. The Enforcement Policy Statement release does not affect other federal agencies’ enforcement of the original Nov. 1 deadline for institutions subject to compliance.
Under the Red Flags Rule, which was prompted by Fair and Accurate Credit Transactions (FACT) Act of 2003, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or activities indicating identity theft.
What does this mean for health care providers? According to Erin S. Whaley, JD, MA, associate at Troutman Sanders, LLP, “The Red Flags Rule requires health care providers and all others who regularly defer payment for service to put in place a program for preventing identity theft. These programs will require providers and their staff to be more vigilant about identifying ‘red flags’ that may indicate potential identify theft. Initially, development and implementation of Red Flags programs will require health care providers to designate a Red Flags manager, conduct a risk assessment, develop a program, and seek approval from their boards of directors. Completing these activities will require a significant effort on the part of the providers, especially with respect to obtaining board approval. Typically, a board of director’s meeting has a very full agenda and, often, the board does not address these types of issues. To comply with the Red Flags Rule, however, boards of directors will have to modify their mindsets and become involved in the Red Flags programs. After the initial implementation effort, a Red Flags program will probably not have a material impact on the day-to-day operations of the provider, but the provider will be required to comply with the program, maintain it, and provide periodic updates to the board.”
For more information about the Red Flag Rule, go to the FTC Web site.