10/30/09: FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

The Federal Trade Commission (FTC) is delaying enforcement of the “Red Flags” Rule until June 1, 2010. As part of the Federal Trade Commission's (FTC's) implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003, most medical providers would have needed to comply with the "Red Flags" rule November 1, 2009. The rule requires "creditors" – which the FTC defines to include most health care providers – to establish a program to prevent identity theft in their practices.

CMS Data Content And Code Sites (1407.0K)

Medicare Medical Information and Privacy Clarification (85.0K)

Date: 02/25/2008

Subject: New HIPAA Security Information on the CMS website

Content: On February 20, 2008 The Office of E-Health Standards and Services (OESS) within CMS posted a document called Information Request for Onsite Compliance Reviews. OESS recently procured contracted services to assist with onsite compliance reviews related to potential HIPAA Security Rule violations. To ensure that the industry has an idea of the type of information OESS might request during these reviews, OESS developed a sample security checklist, which highlights several areas of vulnerability associated with the security of electronic protected health information.

Click Link below for full story:

Identity-Theft Red Flag Requirements

The Federal Trade Commission requires healthcare organizations that provide credit to patients to comply with identity-theft red flag rules. The organization must set up a process to find "red flags"--actions that might indicate an attempt to steal the person's personal data for illegal use.

The FTC released the final rules on what it calls “identity theft red flags” on November 9, 2007 in the Federal Register (72FR63718). Essentially, the requirement calls for the creditor (healthcare organization, office, or practice) to set up a process so that its staff can determine or identify possible identity theft “red flags” and respond. The rules are flexible, but do require identification of the potential problem areas, what action is to be taken, and a means to revisit the protocol and update as needed. The final rule and other guidance from the FTC provide suggestions for the flags that might be established.

After a number of delays, the rule takes effect Nov. 1, 2009

For further information read the current information at www.ftc.gov/redflagsrule. The rule contains an appendix (72FR63774) to assist businesses to set up the red flags. Helpful information is also offered on the American Medical Association website at

www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml

HIPAA AND HITECH Update (50.0K)

Red Flag Update 6/2010

The Federal Trade Commission will temporarily exempt physicians from the “Red Flags” rule, pending the outcome of an ongoing court case. The rule requires creditors and financial institutions with "covered accounts" to implement written programs to help detect and respond to practices and activities that could indicate identity theft by Dec. 31. FTC identified Dec. 31as the starting date for enforcement after several previously announced delays. The American Medical Association, American Osteopathic Association and Medical Society of the District of Columbia in May filed a federal lawsuit seeking to prevent the FTC from extending the rule to physicians. Last November, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the rule to attorneys, but the FTC has appealed that decision. Until the court reaches a decision in the case, which was brought by the American Bar Association, the FTC has agreed not to enforce the rule for physicians. The agreement is pending the approval of the D.C. Circuit Court of Appeals.--From the AHA News Now