Red Flags Rule Enforcement Starts on Saturday

Apgar says the Red Flags requirements are similar to the HIPAA Security Rule and state/federal breach notification requirements. His suggested "required elements" of a compliant Red Flag Rule program that can be incorporated into existing policies are:

• Risk analysis


• Threat or vulnerability identification ("Red Flag" identification)


• Alerts, notification requirements and investigation


• Mitigation as necessary (including breach notification)


• Documentation of investigations and, if appropriate, mitigation


• Workforce member training


• Business associate implementation and maintenance of an identity theft protection program (requires an amendment to the business associate contract)

And if there ever were a time to be compliant, it's now–especially with new HIPAA laws signed into the American Recovery and Reinvestment Act of 2009 (ARRA).

"Given the expansion of federal enforcement included in ARRA and the significant increase in civil penalties," Apgar says, "it is important now to make sure the security program is sound and reasonably ensures patient PHI is protected from inappropriate access, breach or exposing the patient to identity or medical identity theft."