Red Flags Rule: Comply Now, Avoid Lawsuit Later

To comply, Huda's company offers these tips:

• Formulate a compliance committee to implement compliance with the Red Flags Rule
• Perform an inventory to identify all accounts (e.g. medical repayment plans) currently offered to patients. Identify any service providers (e.g. HIS or database providers, collections agencies, etc.) involved in opening or servicing accounts.
• Utilize the risk factors in the rule to perform a risk assessment to identify which accounts are covered
• Consider the 26 Red Flags in Appendix J to the Rule (p. 63756 of the Red Flags Rule in the Federal Register), but also any red flags from historical incidents of identity theft or external identity theft cases.
• For each covered account, map applicable red flags to one or more detection and response procedures.
• Develop a risk-based written program. Make sure it includes service provider oversight procedures. Obtain board of directors approval or approval from a board committee (e.g. audit committee).
• Train all appropriate staff on how to implement your program.
• And finally, don't think you're in compliance with Red Flags because you comply with HIPAA, Huda says.

"[Red Flags] is essential to moving ahead and to become fully operational in an e-health environment," says John Parmigiani, HIPAA security and privacy consultant and president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. "Protecting against identity theft and medical identity theft and ensuring data confidentiality, integrity, and availability are critical success factors in the 'trust' equation."