Ask CCRM: Red Flags Rule Requirements for Continuing Care Providers

Continuing Care Risk Management (CCRM) has received various member queries about requirements associated with the Federal Trade Commission’s (FTC) Red Flags Rule. Continuing care providers will be interested in knowing that FTC recently delayed enforcement of the Red Flags Rule until November 1, 2009, giving organizations more time to comply with the rules.

A red flag, as defined by FTC’s rule, is a pattern or activity that indicates identity theft, including medical identity theft. Numerous examples—ranging from alteration of documents for identification to notices of data breaches involving patient information—are listed in the FTC rule; healthcare organizations should choose the red flags that apply to their situations and incorporate them into their policy for identity theft prevention. Steps healthcare organizations should follow to ensure compliance with the rule include obtaining approval for the identity theft program from the board of directors or appropriate committee, ensuring oversight of the program by a senior manager, training appropriate staff as necessary, conducting a risk assessment to identify covered accounts—starting with patient and resident accounts—at risk of identity theft, and incorporating reasonable and appropriate responses to those risks. In some situations, existing policies such as privacy and security policies as required by the Health Insurance Portability and Accountability Act may apply. Once FTC begins enforcing the rule, it will be able to...