This post has been archived and contains information that may be out of date.
After several delays over the last year, the Federal Trade Commission will begin enforcement of the ‘red flag’ rule on November 1, 2009.
The rule is aimed at reducing identity theft and requires creditors that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program). The FTC deems health care providers that regularly bill patients for services after services are rendered to be ‘creditors’ under the rule.
The Program must be approved by the Board of Directors and must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. More specifically, the Program must:
1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The Final Rule may be accessed at http://edocket.access.gpo.gov/2007/pdf/07-5453.pdf. CHA members should develop Identity Theft Prevention Programs in concert with legal counsel to ensure that all rule requirements are addressed.
