Tip: Steps for Red Flags Rule compliance
John C. Parmigiani, HIPAA security and privacy consultant and president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, suggests several steps to help providers become compliant by August 1.
First, conduct an organizational audit. Identify potential problems associated with your unique organization. Be sure to allow sufficient time to conduct a thorough investigation. Then develop a theft prevention program; this is an FTC requirement and necessary to track every account on your books. The amount someone pays is irrelevant—even if it’s only a dollar per week, says Parmigiani.
The written program must:
- Identify potential red flags that exist within your institution
- Help detect red flags when they occur in real time
- Detail how you will respond to incidents of attempted identify theft (i.e., how you can either prevent the incident or how you will mitigate damages if you are unable to do so)
These steps are also important to maintain good business standards, says Parmigiani.
This tip was adapted from the article, “Compliance update: FTC moves Red Flags Rule compliance deadline to August 1,” which appears in the April 2009 issue of HCPro’s monthly newsletter Health Information Compliance Insider. To learn more about this newsletter or to subscribe, visit HCMarketplace.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here
UPDATE:
The FTC delayed Red Flags Rule enforcement to November 1, 2009.
See the FTC release here —
http://www.ftc.gov/opa/2009/07/redflag.shtm
Even if the legislation passes into law and includes exemptions from the Red Flag Rule, healthcare organizations of all sizes need to keep in mind that does not exempt them from the state or federal breach notification requirements or from civil suits related to harm caused by undiscovered identity or medical identity theft. I think this is a key point missed by a number of organizations.
One of the goals of all organizations that store, use and disclose personally identifiable information (especially health care related, social security numbers, etc.), should be to implement policies, procedures and practices to avoid the breaches in the first place. The Red Flag Rule mandated just that. Even if no longer required to adhere to the Red Flag rules is not necessarily a reason not to implement safeguards to prevent breaches that may lead to identity and medical identity theft, law suits, adverse media, loss of business due to loss of trust in, say, a health care practice, etc.
Taking the Red Flag Rule off the table, the HIPAA Privacy and Security Rules require the implementation of controls to protect PHI, to investigate incidents (which could be breaches) and do something about it. This isn’t going away.
I don’t necessarily support or oppose the legislation. I think it would be a good risk avoidance strategy, though, for organizations such as smaller clinics to implement controls to prevent identity and medical identity theft, if as insurance against law suits from patients claiming damages, if nothing else.
It’s good to keep in mind that the highest cost to healthcare organizations since the Privacy Rule was enforceable has not been fines and penalties. It’s been law suits resulting sometimes in very large settlements not in the favor of the covered entities out there.
Chris Apgar, CISSP
Apgar & Associates, LLC