Health care providers implicated in the FTC's Red Flags Rule. As the link indicates, enforcement of the Rule begins on August 1, 2009. In short, within five business days. Large numbers of health care providers fall under the Rule since they can be categorized as "creditors" (see the link for a good summary). Most providers are clearly not ready since they have not taken steps to implement a plan that would provide a "safe harbor." The Rule is designed to anticipate and prevent identity theft. According to this article, 10 million Americans a year have their identities stolen, of these the FTC estimates that as many as 5% have their medical identity stolen, not a small number.
Protecting agaisnt identity theft is all about recognizing signs that it may occur (i.e. the "Red Flags") and subsequently having the right processes and precautions in place to protect the data at risk--personally identitifiable information (PII). OK, but what does all of this have to do with the HITECH Act? On its face, the short answer is nothing at all. But HITECH's Subtitle D already gives the FTC a role regarding personal health records (PHRs), now they will be keeping an eye on health care providers PII data protection activities as well. What are the odds that the FTC notifies HHS if they suspect not only PII is at risk BUT also protected health information (PHI)? In short, protecting data is protecting data. If a provider has sloppy, or non-existent protection in one case, the probabilities are high that it does in most (if not all) cases. You can bet that the FTC, HHS, and CMS will be working closely together or these issues.
There is indeed a regulatory freight train coming unlike anything the health care industry has experienced in the past.
Looking for a best of breed HIPAA Compliance Tracking System?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.