The scenario is far too familiar: Patient gets a call from a hospital about a bill. Patient says they never went to the hospital. Hospital says they did.
Now you've got a case of healthcare identity theft—and maybe a class action lawsuit.
Compliance with the Federal Trade Commission's new Red Flags Rule is critical for healthcare organizations—regardless whether the FTC postponed its enforcement date to August 1. The compliance date is actually November 1, 2008. That hasn't changed.
Sai Huda, chairman and CEO of Compliance Coach, a San Diego software company that specializes in automated regulatory compliance solutions, says bluntly of the FTC's enforcement delay: "So what? Anyone who is out of compliance is out of compliance."
Patients seeking damages from hospitals in identity theft cases have a leg up against hospitals that have yet to comply with the Red Flags Rule, Huda says.
"The patients will be asking, 'How did this happen to me,' and then they find it was the healthcare provider," Huda says. "And then they find out the healthcare provider hasn't done anything about it, and then they go to a plaintiff attorney. All of a sudden, you have a class action lawsuit." You may end up fighting a case that says you violated the Unfair Deceptive Acts and Practices (UDAP) Act. Not to mention attorney fees and bad publicity.
"This is a big risk," Huda says. "Don't wait."
The Red Flags Rule requires organizations considered as "creditors" to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. That regulation falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
In a Compliance Coach's survey to 100 hospitals across the country last year, 73% of respondents said they were surprised the Red Flags Rule applied to them. And 77% said they were just learning about it.
To comply, Huda's company offers these tips:
- Formulate a compliance committee to implement compliance with the Red Flags Rule
- Perform an inventory to identify all accounts (e.g. medical repayment plans) currently offered to patients. Identify any service providers (e.g. HIS or database providers, collections agencies, etc.) involved in opening or servicing accounts.
- Utilize the risk factors in the rule to perform a risk assessment to identify which accounts are covered
- Consider the 26 Red Flags in Appendix J to the Rule (p. 63756 of the Red Flags Rule in the Federal Register), but also any red flags from historical incidents of identity theft or external identity theft cases.
- For each covered account, map applicable red flags to one or more detection and response procedures.
- Develop a risk-based written program. Make sure it includes service provider oversight procedures. Obtain board of directors approval or approval from a board committee (e.g. audit committee).
- Train all appropriate staff on how to implement your program.
- And finally, don't think you're in compliance with Red Flags because you comply with HIPAA, Huda says.
"[Red Flags] is essential to moving ahead and to become fully operational in an e-health environment," says John Parmigiani, HIPAA security and privacy consultant and president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. "Protecting against identity theft and medical identity theft and ensuring data confidentiality, integrity, and availability are critical success factors in the 'trust' equation."