Thursday, July 30, 2009

Federal Red Flags Rule Goes Into Effect August 1

Posted by Mark Brousseau

Beginning Aug. 1, 2009, hospitals and health care providers that extend any sort of credit to their customers - even something as simple as sending a bill at the end of the month - will need to have a documented, board-approved Red Flag compliance strategy in place to help combat medical identity theft.

Grant Thornton, LLP notes that the Red Flags Rule, a component of the Fair and Accurate Credit Transactions (FACT) Act signed into law in December 2003, requires that financial institutions and creditors in a number of industries implement a plan to identify, detect and respond to attempts to use stolen identity information.

"This rule is completely different from policies you have in place to protect sensitive information," says Randy Green, a principal in Grant Thornton LLP's Advisory Services group. "Instead, this regulation is designed to prevent thieves who have somehow acquired another person's identity - via medical records or otherwise - from using it to commit fraud. The rule requires you to identify all of the indicators that might tip you off to possible identity theft, implement appropriate preventive and detective controls, and react appropriately."

While the Rule has been in effect since November 2008, enforcement by the Federal Trade Commission (FTC) will begin Aug. 1 of this year. Initially, the FTC may assess retroactive penalties for violations, require additional compliance reporting from companies and obtain an injunctive compliance order. Further violations could result in a visit to federal district court and a fine of up to $16,000 per individual occurrence of identity theft.

"After Aug. 1, 2009, any occurrence of medical identity theft at your hospital or business exposes you to an FTC investigation," said Green. "We believe that enforcement of this rule will be complaint-driven, and given the staggering number of identity thefts, there will be no shortage of complaints."

"In summary, the Red Flags Rule is likely to become the standard of care that all hospitals and health care providers will need to provide to prevent medical identity theft," concluded Green. "Skipping red flags compliance will expose you to real regulatory, reputational and litigation risks."

How has your organization prepared for the Red Flags Rule?

No comments: