When Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), little did healthcare organizations suspect that they would be on the hook for yet another government mandate. But that's exactly what's happened, and the August 1 deadline for implementing procedures to comply with the regulations, known as the Identity Theft Red Flags Rule (16 CFR 681.2), is fast approaching.
Section 114 of FACTA required six regulatory agencies to create rules mandating organizations that deal with consumer information to monitor for identity fraud, says Robin J. Fisk, Esq., principal of Fisk Law Office in Ashland, NH. Since the agencies primarily regulate the financial industry, healthcare organizations were slow to discover that the rules might apply to them.
The Red Flags regulations define a pattern, practice, or specific activity that could indicate identity theft. In addition to financial institutions, they apply to creditors, defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or an assignee of an original creditor who participates in the decision to extend, renew, or continue credit."
Typical creditors include consumer organizations such as banks, auto dealers, and utility and cell phone companies. However, the Federal Trade Commission (FTC) has interpreted the regulations to apply to other organizations, including nonprofits and government agencies, Fisk says. Although the FTC usually has no jurisdiction over nonprofits, the agency has taken the position that it holds jurisdiction when a nonprofit performs functions that are similar to a for-profit. "Any person that provides a product or service for which the consumer pays after delivery is a creditor," the FTC's enforcement policy states.
To be subject to the Red Flags regulations, healthcare organizations must also maintain covered accounts, which may include consumer accounts and any other type of account that presents a reasonable risk of identity theft that could harm the patient or provider.
Although the Red Flags Rule went into effect November 1, 2008, the FTC agreed to defer enforcement until August 1 "so that creditors and financial institutions have more time to develop and implement written identity theft prevention policies," according to an April 30 press release.
To comply, healthcare organizations must develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with covered accounts, Fisk says.
The prevention program may be scaled to the size and complexity of your organization, as well as the nature and scope of your exposure. However, your program must also consider guidelines regarding the Identity Theft Red Flags that were originally published in the Federal Register November 9, 2007.
These guidelines, which will be updated periodically, are intended to assist creditors in creating and maintaining a program that satisfies the requirements of the Red Flags regulations. The guidelines cover risk factors for identifying red flags, categories of red flags, and methods for preventing and mitigating identity theft.
Your board of directors, or your senior executive if your organization doesn't have a board, must appoint someone to develop your compliance program, Fisk says. The Red Flags compliance officer's first order of business is to determine whether your organization maintains covered accounts.
Next, the compliance officer must conduct a risk assessment of your covered accounts, including the methods you provide to open and access accounts and your organization's previous experiences with identity theft.
Your compliance program must include reasonable policies and procedures to identify red flags for covered accounts and ensure that the program adequately addresses them. The program should instruct staff members on how to respond appropriately to prevent identity theft and to mitigate any effects from identity thefts that occur. The program must also include a process that incorporates updates to keep pace with changes in patient risk and to your organization's programs.
This article was adapted from one that originally appeared in the July 2009 issue of The Doctor's Office, a HealthLeaders Media publication.