HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for Red Flags Rule

Cheryl Clark, for HealthLeaders Media, August 18, 2010

The Council of Medical Specialty Societies, which represents some 650,000 U.S. physician specialists in 34 societies, has announced its participation in a lawsuit to exempt doctors from requirements of the “Red Flags Rule” scheduled to take effect by year end.

Groups such as the American Medical Association object to the Federal Trade Commission’s requirement for physicians to verify the true identity of their patients before they agree to treat them if the patients are not paying in full at the time of the visit. The intention of the requirement is to prevent potential cases of identity theft.

If a patient says he or she is someone else, the wrong person or entity would be billed for that individual’s care.  But doctors say that requiring such proof of identity is time-consuming, awkward, and may delay care if the patient didn’t bring proper documents.

The FTC has postponed implementation of the rule five times. It is now scheduled to go into effect Dec. 31.

The AMA, the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit this spring demanding the FTC exempt physicians from the rule. The effect of such identity verification covers the physician-patient relationship with a blanket of suspicion before treatment ever begins, they say. It also may require doctors to set up identity theft prevention and detection programs.

The Council of Medical Specialty Societies is joining in the lawsuit because the FTC “failed to follow the required notice and comment procedures under the Administrative Procedures Act.”  It also said that imposition of the rule on doctors imposes significant burdens, “particularly (on) solo practitioners and those practicing in small groups.”

Norman Kahn, MD, executive vice president and CEO of CMSS, says that if the rule applies to its members, it “would substantially drain the financial resources of physicians, particularly those whose support systems are limited.”

Also, groups opposing the rule claim it is not appropriate for certain practices.

“A plan for a physician who serves in a rural area in which patients are well-known will be different from one for a physician in a large group in an urban area,” the CMSS said in its statement. Time required to comply with the rule will “necessarily detract from the attention physicians are able to give their patients.”

In the latest postponement, the FTC said the delay will allow Congress to consider legislation that would affect the scope of entities covered by the rule.”

In a statement in June, FTC Chairman Jon Leibowitz said, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule—and to fix this problem quickly.” He added, “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

Categories : Red Flags Rule
Comments (0)

Q. The Red Flags Rule references service providers. What are examples of service providers?

A. The Red Flags Rule defines a service provider as “a person that provides a service directly to the financial institution or creditor.” For providers required to comply with the rule, this includes business associates (BAs) such as billing agencies, collection agencies, auditors, and software vendors with access to the billing systems.

Creditors—in this case, providers—must reasonably ensure that service providers implement an identity or medical identity theft prevention program. Practically speaking, this means amending BA contracts to include this new requirement.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.


Comments (0)

The FTC will not enforce the medical identity theft prevention and protection rule, Red Flags Rule, against doctors or any American Medical Association (AMA) or state medical society members until lawsuits are settled.

Some associations have sued the FTC for forcing them to comply with the Red Flags Rule.

Comments (0)

The Federal Trade Commission (FTC) may have delayed enforcement of the Red Flags Rule until December 31, 2010, but compliance is still in effect.

And that’s the gist of our show this Wednesday, June 9: How to comply with the FTC’s rule that says “creditors” must have in place a program to prevent and detect red flags for medical identity theft.

To learn more about our Red Flags Rule show, visit its home page.

Categories : Red Flags Rule
Comments (0)

The Federal Trade Commission delayed enforcement of the Red Flags Rule for a fifth time, this time extending the date seven months.

Enforcement was scheduled for June 1, 2010. It is now changed to December 31, 2010.

The FTC says on its Web site the delay comes at the request of Congress as it “considers legislation that would affect the scope of entities covered by the rule.”

Healthcare entities defined as “creditors” by the FTC must still comply with the rule by implementing a program to prevent and detect cases of identity theft. Compliance date was November 1, 2008.

“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly,” FTC Chairman Jon Leibowitz said on the FTC Web site. “We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

The Senate filed a bill Tuesday, May 25, an awfully similar bill from the House’s in October that essentially exempts providers with fewer than 20 employees from complying with the FTC’s Red Flags Rule. The House bill passed 400-0.

The FTC says it will make enforcement effective earlier than December 31, 2010, provided Congress passes legislation before that date.

Medical and osteopathic associations Friday, May 21, sued the FTC for covering them under the Red Flags Rule, which requires them to start verifying their patients’ true identities before they agree to treat them.

The lawsuit seeks to prevent the FTC from defining physicians as “creditors” whenever they do not require payment in full at the time they provide care, and later bill them, according to the brief filed by the American Medical Association and the American Osteopathic Association and the Medical Society of the District of Columbia, the District Court where the case was filed.

“We do already have a number of rules and regulations to follow to protect patient privacy and information security, and these have recently been strengthened with ARRA and HITECH,” says Chris Simons, RHIA, director of UM & HIMS and the privacy officer
at Spring Harbor Hospital in Westbrook, Maine. “Requiring healthcare providers to follow the Red Flags Rule is just another regulatory hoop for us to jump through.”

Simons, who will speak on HCPro, Inc.’s June 9 audio conference, “Prevent Medical Identity Theft and Comply with FTC Requirements Now,” says there is never enough training and monitoring regarding best security and privacy practices.

However, she says, “I don’t think this adds significantly to what we already do.”

Bonnie McLaughlin, a development analyst for Medical Information Technology, Inc. in Westwood, MA, says she is “horrified” by the attempt to exempt physician practices from the Red Flags Rule.

“It is just as possible that someone can use my identity/insurance/financial information when presenting at a physician’s office as it would be in a larger healthcare setting,” McLaughlin says.

McLaughlin says devising a Red Flags Rule policy “can be relatively simple.”

“If these providers would simply read through the ruling and understand exactly what is involved in meeting this requirement, they would have already been able to meet the criteria in the amount of time they have taken resisting being held accountable,” she says.

Categories : Red Flags Rule
Comments (0)