The scenario is far too familiar: Patient gets a call from a hospital about a bill. Patient says they never went to the hospital. Hospital says they did.
Now you've got a case of healthcare identity theft—and maybe a class action lawsuit.
Compliance with the Federal Trade Commission's new Red Flags Rule is critical for healthcare organizations—regardless whether the FTC postponed its enforcement date to August 1. The compliance date is actually November 1, 2008. That hasn't changed.
Sai Huda, chairman and CEO of Compliance Coach, a San Diego software company that specializes in automated regulatory compliance solutions, says bluntly of the FTC's enforcement delay: "So what? Anyone who is out of compliance is out of compliance."
Patients seeking damages from hospitals in identity theft cases have a leg up against hospitals that have yet to comply with the Red Flags Rule, Huda says.
"The patients will be asking, 'How did this happen to me,' and then they find it was the healthcare provider," Huda says. "And then they find out the healthcare provider hasn't done anything about it, and then they go to a plaintiff attorney. All of a sudden, you have a class action lawsuit." You may end up fighting a case that says you violated the Unfair Deceptive Acts and Practices (UDAP) Act. Not to mention attorney fees and bad publicity.
"This is a big risk," Huda says. "Don't wait."
The Red Flags Rule requires organizations considered as "creditors" to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. That regulation falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
In a Compliance Coach's survey to 100 hospitals across the country last year, 73% of respondents said they were surprised the Red Flags Rule applied to them. And 77% said they were just learning about it.