Time is Almost Up for FTC Red Flag Rule Compliance
The deadline by which health care providers must have their FTC Red Flag Rules compliance program in place is fast approaching. Although the deadline for compliance was November 1, 2008, the FTC postponed enforcement of the Red Flag Rules until May 1, 2009. Health care providers, along with financial institutions and other creditors, must be in compliance with the FTC’s Red Flag Rules by then. As we explained in a posting in October 2008, health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules. This could mean amending existing business associate agreements or asking for copies of the vendors’ Red Flag policies.
For those health care providers who are still unsure about what the Red Flag Rules mean, the FTC has issued a “How-to Guide” that gives an easy-to-understand overview of the Rules.
In addition, a sample Red Flag Policy for health care providers developed by the American Hospital Association can be found here. Your compliance counsel should also be able to assist with developing a Red Flag Rules compliance program.
