Up-to-date syndicated information on database & ERP privacy, security, audit and compliance
RSS icon Email icon Home icon

  • FTC confirms that all health providers have to comply with Red Flags Rule

    Posted on March 5th, 2009 Team No comments

    The Federal Trade Commission (FTC) confirmed, on 4 February 2009, that physicians and other medical providers have to comply with the identity theft prevention regulation, the Red Flags Rule.

    The FTC’s confirmation addresses a challenge raised by the American Medical Association (AMA) in November 2008, which questioned the applicability of the rule to medical providers. According to the AMA, medical providers did not fall under the definition of covered entities, namely ‘creditors’ and ‘financial institutions’.

    The FTC Red Flags Rule requires all financial institutions and creditors that have ‘consumer-type accounts’ to implement written identity theft programs to ‘identify, detect and respond to possible risks of identity theft relevant to them’. In a letter to the AMA, the FTC said: ‘[W]e believe that the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payments for goods and services. Physicians, who regularly bill their clients, customers or patients for their services after those services are rendered, are ‘creditors”. The FTC referred to the definition of ‘creditor’ under the Equal Credit Opportunity Act, describing it as ‘broad’.

    The AMA also argued that it was unnecessary for medical providers to comply with the Red Flags Rule, given they already devote substantial resources to comply with the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules to ensure the confidentiality and security of their patients’ health data. The FTC responded that the HIPAA rules ensured the prevention of medical data breaches, but not the prevention and mitigation of the misuse of that information if it were compromised.
    According to the FTC, the Red Flags Rule would ‘complement rather than duplicate’ the HIPAA rules so that medical identity theft is combated more comprehensively.

    In response to the burden of costs that physicians would face, the FTC said that it did not believe that the Rule would impose significant burdens for most providers: ‘In many cases, that risk may be minimal or non-existent, such that a simple and streamlined program would be adequate’.

    The deadline for compliance with the rule is 1 May 2009.

    http://www.ftc.gov/os/closings/staff/090204amaresponse.pdf

    General

    Leave a reply

Categories

Powered by WordPress
Designed by My Mobiles