New Red Flags rule regarding identity theft goes into effect May 1. While still being challenged, the rule is interpreted to apply to most health care organizations.
Health care organizations that accept insurance or provide payment plans are considered creditors subject to the red flags requirements.
Red Flags Rule requires that creditors must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Information including Protected Health Information (PHI), social security numbers, credit card info, claims data and other sensitive information are covered by the rule.
According to the Federal Trade Commission (FTC), Red Flags rule requires a "a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees ... include appropriate staff training, and provide for oversight of any service providers."
The AMA's Practice Management Center has published a sample policy for Red Flags compliance and a good overview document on what physician practices should do to prepare for Red Flags compliance.