The Federal Trade Commission (FTC) pushed back its compliance date Thursday on the "Red Flags Rule" from May 1 until August 1, giving healthcare facilities considered to be "creditors" three extra months to implement an identity theft prevention program.
But that does not mean healthcare entities should delay implementing a program–especially when you're dealing with the FTC, an organization known for harsh punishment and corrective measures.
"Don't forget, this is a much different agency than [Office for Civil Rights] and CMS, the enforcement agencies for HIPAA, and if they do show up, the consequences will likely be severe," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
The Red Flags Rule aims to keep the FTC away. It forces any organization considered to be a "creditor" to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
That regulation falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which defines "creditors" as agencies that regularly extend or renew credit–or arranges for others to do so–and includes all entities that regularly permit deferred payments for goods or services.
Originally, the compliance date for Red Flags was November 1, 2008, but the FTC delayed it until May 1, and now August 1.
Major financial institutions like banks and non-state regulated credit unions did not get a break from the original November 1 compliance date.
"I think the FTC was trying to give people enough time to here about it, embrace it, and move forward with it," says Suzanne Miller, PhD, senior partner at Compliance and Audit Group, Orlando, FL, a consulting firm. "But, do I think that by allowing them until August 1 will cause more to get on board? No. We are in a financial crisis here, and people don't care. If there aren't police or a big stick, people don't care."
Miller reminded healthcare entities that if they comply with the already-established Payment Card Industry Data Security Standard (PCI DSS), they also comply with the Red Flags Rule.
So what should your healthcare organization do? For starters, your front end patient access team needs to be in the loop, since they take credit information. Your billing and accounting team and anyone who gets their hands on a patient's bill and credit information should also be involved. Not to mention your compliance and HIPAA officers.
The FTC itself put out a helpful guide--Fighting Fraud with the Red Flags Rule: A How-to Guide for Business--to help creditors maintain compliance.
Experts told Healthleaders Media to conduct an organizational audit, develop the identity theft program with approval from your board of directors, monitor the program, and train everyone.
Tanya Forsheit, co-head of the Privacy and Data Security Practice Group at law firm Proskauer Rose LLP in Los Angeles, says healthcare entities should determine whether they are covered, start work on a program to detect and respond to identify theft signs, and develop a written program and consult with counsel to determine what makes sense in that regard. They should also review regular practices for how to deal with patient identification, how to respond to law enforcement requests, and how to deal with medical records that might be at risk of identify theft.
"It may be that they already do a number of things that are in line with compliance and then it's just a question of putting something in writing to memorialize the program and making sure people in the practice or the hospital are trained and understand what this means," says Forsheit.
And realize there is a major financial risk associated with non-compliance–not to mention financial and potentially physical harm to your patients. Identity theft could compromise patient care.
"Look at the state laws," Miller says. "Massachusetts has one coming out that will bring you to your knees if you don't do it. If healthcare providers would understand what their risk is…because today they don't think there is a financial risk to non-compliance. If they realized that all of this really goes together, and if they have a breach of any kind that could be attributed to identity theft or fraud, then the penalties and the fines could put them out of business."
John Commins of Healthleaders Media contributed to this report.