The Federal Trade Commission has issued revised guidance to help organizations comply with its Red Flags Rule, which requires businesses to watch for and respond to "red flags" of identity theft.
Hospitals and other healthcare providers that meet the rule's definition of "creditor" must abide by the Red Flags Rule and develop and implement a written identity theft prevention program. Businesses count as creditors if they do the following, in addition to deferring payment for goods and services or billing customers:
• Receive or use consumer reports in connection with a credit transaction.
• Give information to credit reporting companies in connection with a credit transaction.
• Advance funds to or for someone who must repay them, either with funds or pledged property. This excludes incidental expenses in connection to services the business provided to the consumer.
The regulatory obligations in the rule are not triggered by isolated conduct. According to the rule, these activities must be done "regularly and in the ordinary course of business."
"What is deemed 'regularly and in the ordinary course of business' is specific to individual companies," the new guidance states. "If you get consumer reports or furnish information to a consumer reporting company regularly and in the ordinary course of your particular business, the rule applies, even if for others in your industry it isn't a regular practice or part of the ordinary course of business."
If they meet the "creditor" definition, hospitals must develop a program that includes four basic elements:
• It must include reasonable policies and procedures to identify the red flags, suspicious patterns or practices of identity theft that may occur in day-to-day operations.
• A program must be designed to detect identified red flags. If you have identified fake IDs as a red flag, for example, procedures must be in place to detect possible fake, forged or altered identification.
• A program must detail the appropriate actions the organization will take when you red flags are detected.
• A program must detail how the organization will keep its policies current to reflect new threats.
More Articles on Hospitals and Fraud:
CMS: More Than 14k Providers Kicked Out of Medicare Since 2011
Updated Fraud Self-Disclosure Protocol: 5 Considerations for Healthcare Providers
10 Recent Investigations, Lawsuits and Settlements Involving Hospitals