Tell a friend about Pedsource!
Home

The Red Flags Rule - Are You In Compliance?

March 26, 2009 by katy

The FTC recently ruled that medical practices can be considered creditors, and are subject to the "Red Flags Rule," designed to prevent identity theft. According to the FTC, an entity that is defined as both a "creditor" and having "covered accounts" must be in compliance by August 1, 2009 November 1, 2009*. This leaves many offices with little time to develop a written Identity Theft Prevention Policy required by the rule.

PCC has written previously about the Red Flags Rule to help you understand the issue and how it affects your practice. To help you comply, we have put together a general outline of what may be included in your Identity Theft Program, if you determine the Red Flags Rule applies to your practice. We have also created a template policy (Download the Microsoft Word or Open Office Document) that you can adapt to your practice specific needs.

Note: This article is not offered as legal advice. You should seek legal counsel in performing your practice's risk assessment and in the adoption of your practice's Red Flags Rule ID Theft Program.

The Red Flags Rule states that covered entities must implement an Identity Theft Prevention Program. This program should cover each of the elements described below to comply with the Red Flags Rule.

I. Perform a Risk Assessment and Document the Results

  1. Determine what constitutes a "covered account" for your practice. This will likely include patient billing records, insurance card scan files, and credit card information files.
  2. Define the methods for opening new, and accessing existing, covered accounts.
  3. Detail your practice's past experiences with ID theft, to help you determine your risk level.
  4. Document information related to the practice's demographic base to determine, in part, the level of risk or exposure to ID theft. For instance, does your practice have a small or large customer base, urban or rural setting, transient population, etc.

II. Develop and Implement Policies and Procedures to Detect, Prevent, and Mitigate ID Theft for "Covered Accounts"

Your written policies should include how your practice will:

  1. Identify Relevant Red Flags, including suspicious documents, suspicious personal identifying information, alerts from a consumer reporting agency, notification by a customer, a victim of ID theft, law enforcement agency, or any other person about identity theft in connection with a fraudulent account, or other suspicious documents. 
  2. Detect Red Flags - Once you have identified a set of warning signals or "red flags" that are relevant to your practice, you will need to establish a plan to detect them in daily business operations. You may spot red flags when you obtain identifying documents to verify a person's identity, authenticate customers for existing covered accounts, and verify the validity of address changes or corrections.
  3. Prevent and Mitigate Identity Theft - Your Identity Theft Prevention program must include a plan for appropriate responses to red flags that are detected at your practice to prevent and mitigate identity theft. Responses could include monitoring transactions, contacting customers of suspicious activity, changing passwords, notifying law enforcement of suspicious activity, not opening a new account, closing an account, or others. There may also be times your practice determines no response is necessary. 

III. Have Upper-Level Management Approve Your Identity Theft Program

Your Identity Theft Program must have approval by upper-level management of your practice, such as a Board of Directors (if you have one) or a senior employee.

IV. Educate Your Staff About the Red Flags Rule, the Implementation Timeline, and the ID Theft Prevention Policies and Procedures

Your staff, who will be involved with the administering of the program, must be properly trained. You should also assign specific responsibilities for implementation of components of the program.

V. Administer and Maintain the Program

Your program must describe how you will review and update it to ensure you are considering new identity threats. Your practice should report at least once per year on the effectiveness of the program, impact on the practice, and any ID theft incidents, as well as recommend changes to the program. Updates or changes to the program will need to be approved by your upper-level management.

 

*Update: The FTC announced at the end of July enforcement of the rule will be delayed until November 1, 2009).

 

Red Flags Rule Resources

Red Flags Rule from the Federal Register (Large PDF Download)

PCC ID Theft Program Template: Open Office Template Or Microsoft Word Template

FTC Article About Who Must Comply With Red Flags Rule