Saturday marks the enforcement date of the Federal Trade Commission's Red Flags Rule—barring another delay, of course.
The FTC set enforcement three times: November 1, 2008; May 1, 2009; and August 1, 2009.
The latter looks like it will stick. That means starting Saturday, the FTC can officially audit your facility if you haven't complied with the Red Flags Rule, the mandate that all healthcare facilities considered "creditors" have an identity theft prevention program in place.
The Red Flags Rule forces any organizations to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
That regulation falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which defines "creditors" as agencies that regularly extend or renew credit–or arranges for others to do so–and includes all entities that regularly permit deferred payments for goods or services.
Chris Apgar, CISSP, president of Apgar & Associates, LLC in Portland, OR, writes in his white paper, Red Flag Rules & Physicians – Overview and Program Requirements, the key requirement to comply with Red Flags is adopting an umbrella policy and procedure.
"The policy and procedure needs to be approved by the highest authority in the practice or clinic such as the board of directors, partners, sole owner, etc.," Apgar writes. "… The umbrella policy indicates the program has been adopted and approved by the highest authority for the practice or clinic. It also outlines the components of the Red Flag Rule program for the practice or clinic. Any supporting policies and procedures need to be reviewed and/or developed by senior management and the program needs to be reviewed at least annually."