Red Flags: Preventing ID TheftIs the June 1 Enforcement Date Real This Time?
Building a program to prevent identity theft makes good business sense, says Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash. "Why would anyone invite the risk of exposure and loss of reputation?" he asks.
"Too many organizations waste too much time on whether to put in privacy and security safeguards based only upon whether someone will catch them if they don't," adds Rebecca Herold, owner of Rebecca Herold & Associates. "You want to avoid having breaches occur. It's just common sense to put safeguards in place, regardless of enforcement."
Under the Identity Theft Red Flags Rule, which dates back to 2007, any organization that extends credit to its clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.
The FTC already is enforcing the rule for many financial services companies, including banks. But it has repeatedly delayed enforcement in healthcare in reaction to protests and concerns.
An FTC spokesman told HealthcareInfoSecurity.com that enforcement of the rule in healthcare is still slated to kick in on June 1.
But attorney Gerry Hinkley, of the San Francisco firm Pillsbury Winthrop Shaw Pittman LLP, is among those who continue to doubt whether the rule will ever apply in healthcare. He says the rule isn't as important in this sector because healthcare organizations grant far less credit than financial institutions. Plus, he argues that the HIPAA privacy and security provisions do an adequate job of protecting against identity theft.
Earlier this year, the American Medical Association and three other healthcare groups called on the FTC to exclude healthcare professionals from the rule. They contended that the rule "imposes an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft."
They pointed to a ruling by the U.S. District Court for the District of Columbia exempting lawyers from the requirements of the rule. "Our four organizations believe that applying the rule to health professionals, but not to lawyers, would be unfair," said J. James Rohack, M.D., president of the American Medical Association.
The right thing to do
But Paidhrin, the security compliance officer, argues that complaining about the Red Flags rule is a waste of time "because healthcare organizations should already have the policies and practices in place to address the issue of financial identity theft."
He notes that many states already have regulations in place that are very similar to the Red Flags Rule. "And having a program in place to detect ID theft should be routine for any size organization," he argues.
Southwest Washington Medical Center created a Red Flags compliance team headed by its patient accounting director, who oversees the granting of credit to patients. The team created policies and processes for preventing financial ID theft and spotting potential theft incidents. And it created an awareness program for all staff members.
Although some of the steps involved in complying with the Red Flags rule are somewhat redundant with HIPAA requirements, "if you have a compliance program in place already, adding one extra component to it is reasonable," Paidhrin says. "If you offer credit, you should be looking out for fraud, waste and abuse."
Staff training is the most important aspect of any financial ID theft prevention effort, Herold stresses. "And it should not be a one-shot deal, but ongoing."
To prevent fraud, organizations also should make sure that access to financial systems is restricted to "only those with a business need," Herold advises.
"Hospitals and others need to make sure to pay closer attention to validating the identity of the people coming in seeking treatment," she stresses. That involves training registrars to ask for multiple forms of identification, verify insurance coverage and look for such "red flags" as an unexplained change of address to a post office box number.