Since this article appeared online, the FTC announced it is delaying enforcement until November 1.
Saturday marks the enforcement date of the Federal Trade Commission's Red Flags Rule—barring another delay, of course.
The FTC set enforcement three times: November 1, 2008; May 1, 2009; and August 1, 2009.
The latter looks like it will stick. That means starting Saturday, the FTC can officially audit your facility if you haven't complied with the Red Flags Rule, the mandate that all healthcare facilities considered "creditors" have an identity theft prevention program in place.
The Red Flags Rule forces any organizations to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
That regulation falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which defines "creditors" as agencies that regularly extend or renew credit–or arranges for others to do so–and includes all entities that regularly permit deferred payments for goods or services.
Chris Apgar, CISSP, president of Apgar & Associates, LLC in Portland, OR, writes in his white paper, Red Flag Rules & Physicians – Overview and Program Requirements, the key requirement to comply with Red Flags is adopting an umbrella policy and procedure.
"The policy and procedure needs to be approved by the highest authority in the practice or clinic such as the board of directors, partners, sole owner, etc.," Apgar writes. "… The umbrella policy indicates the program has been adopted and approved by the highest authority for the practice or clinic. It also outlines the components of the Red Flag Rule program for the practice or clinic. Any supporting policies and procedures need to be reviewed and/or developed by senior management and the program needs to be reviewed at least annually."
Apgar says the Red Flags requirements are similar to the HIPAA Security Rule and state/federal breach notification requirements. His suggested "required elements" of a compliant Red Flag Rule program that can be incorporated into existing policies are:
- Risk analysis
- Threat or vulnerability identification ("Red Flag" identification)
- Alerts, notification requirements and investigation
- Mitigation as necessary (including breach notification)
- Documentation of investigations and, if appropriate, mitigation
- Workforce member training
- Business associate implementation and maintenance of an identity theft protection program (requires an amendment to the business associate contract)
And if there ever were a time to be compliant, it's now–especially with new HIPAA laws signed into the American Recovery and Reinvestment Act of 2009 (ARRA).
"Given the expansion of federal enforcement included in ARRA and the significant increase in civil penalties," Apgar says, "it is important now to make sure the security program is sound and reasonably ensures patient PHI is protected from inappropriate access, breach or exposing the patient to identity or medical identity theft."