|
Most
companies affected may be unaware of their obligations to comply
with the Federal Trade Commission’s Red Flag Rules focusing on
identity theft. Although this legislation was enacted last year and
enforcement was scheduled to begin on November 1, even thought all
organizations are now technically required to be compliant, the FTC
moved the enforcement date to May 1 and most recently moved the enforcement date to
August 1st 2009 because
most organizations were unaware of the requirements.
This
regulation may affect anyone providing services where the consumer
is invoiced monthly or provides the consumer with a payment plan.
The
American Health Care Association and American Medical Association
has confirmed that healthcare providers must comply. The FTC
has responded to the AMA and explained the reasoning why Healthcare
providers are in required.
Click
here to read the letter.
Cost Effective Customized Solution
Visage Solutions will provide a senior consultant to review the red
flag rules with you, conduct a Risk Assessment, and customize our
Red Flag Template Policy(s) and Training Guide to help you design a
solution. Any procedures that must change or monitoring that you
must perform to satisfy compliance will be identified.
Q&A on Visage Solutions Red Flag offering:
1.
What kinds of policies are
included?
·
Overview Identity Theft Policy
·
Registration (new client or patient
acceptance)
·
Red Flag Review
·
Investigation of Suspected Identity Theft
·
Disposition of Erroneous Records
2. 2.
How much of my staff’s
effort is needed?
A few hours to answer question for
our Risk Assessment while walking through your registration and
transaction (treatment) processes and a few more to review and
finalize the policies and training materials.
3. 3.
How many red flags are
there?
The Federal
Financial Institution Examination Council (FFIEC) has identified 26
financial red flags along with implementation guidelines. Visage
Solutions has identified an additional 18 medical red flags to be
considered by the health care community.
4. 4.
Will we be responsible to
monitor all the red flags?
Not
necessarily, this regulation is risk based and the red flags you
will be responsible for depends on the results of your risk
assessment. As an example, a retirement home has a different risk
profile than that of a hospital.
5. 5.
So after this service, am
I’m completely compliant with the Red Flag Rule?
No, there may be some procedures you
may need to change and potentially put in some monitoring to
cover any conflicting treatments. You will also have to have the
policies approved by your board or senior management team and
train any personnel on your new procedures. You will also have
to monitor and review the program on a yearly basis.
6. 6.
I can’t believe that
health care providers have to worry about identity theft.
Actually, this covers both financial
and medical identity theft. And the AHCA and AMA has confirmed
it, you can look at their websites at
www.ahcancal.org
or
www.ama-assn.org,
search for Red Flag Rule. The FTC explained their position in
this
link.
7. We're
already compliant with (HIPAA, GLBA, Bank Secrecy Act, etc), how is
this different?
Those other laws are mean to protect
data. This one is different in that it assumes someone already has
stolen someone else’s identity and is trying to fraudulently use it.
8. What
is the cost?
We will have to find out a little more
about your organization before a fixed cost can be given. However, a
single office environment with a fairly robust registration process
can cost as little as $500 for a fully customized set of
deliverables for your organization.
9. Why
should I do this now, don't I have until 2009?
It's true that the enforcement date has
been moved to August 1, 2009, however the effective date is still
January 1, 2008. Even though the FTC penalties won't begin until
then, you should still think about how Identity Theft can affect
your customers and the potential negative publicity it can bring to your
organization.
|
