Just a reminder that the red flag rules will be enforced beginning August 1, 2009. The red flag rules require creditors to implement a formal policy for detecting and preventing identity theft. The rules were authorized under the 2003 Fair and Accurate Credit Transitions Act, which covers entities that regularly extend credit, or defer payment for services. The FTC is still taking the position that health care providers are considered creditors under the rules.
The red flag rules require health care practices to identify red flags, or warning signs, of potential identity theft events, to develop a corporate policy for responding to such risks, and to train employees on the new policy.
Health care providers should consider the following when developing and implementing their identity theft prevention policies:
- Identify warning signs of potential identity theft that may occur in day-to-day operations. Such red flags may include bills for services not provided, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.
- Outline clear procedures for detecting red flags, such as verifying patient identities, educating patients and training staff.
- Establish procedures for responding to red flags, such as gathering pertinent documentation, notifying patients or canceling transactions.
- Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.
- Review and update the identity theft prevention policy at least annually.
© 2009 Parsonage Vandenack Williams LLC
For more information, contact info@pvwlaw.com
VW Health Care Law Blog 