The BridgeBlog

Close to 450,000 individuals each year experience some form of medical identity theft.

According to a survey conducted by the Federal Trade Commission (FTC), close to 450,000 individuals each year experience some form of medical identity theft.

Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers, unpaid bills racked up by scam artists.

What are we doing to resolve this?

In response to the rising number of cases of ID Theft, the FTC passed the Red Flag Rules.

This rule requires “creditors” and “financial institutions” to implement an Identity Theft Prevention Program—of which a major component is staff training. The compliance deadline is June 1, 2010. Is your organization ready?

Does my organization have to comply with the rules?

Under the FTC’s rule definition, all “creditors” and “financial institutions” must address the risk of identity theft.

A healthcare provider must comply with the Red Flag Rules if the provider meets the definition of “creditor” under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)).

A creditor as defined under the Fair Credit Reporting Act includes:

• Any organization that regularly extends, renews, or continues credit.
• Any organization that regularly arranges for the extension, renewal, or continuation of credit.
• Or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

Additionally – a healthcare provider must comply with the Address Discrepancy Rule if the provider uses consumer credit reports.

What does this mean in English? If you bill for your services after the service is provided (versus a 100% cash-based service), then you fall under the FTC’s definition of a “creditor.”

Where can I get help in complying with these rules?

There are many resources available from FTC that offer general guidance. However, implementation of this rule is a detailed task.

BridgeFront offers specific guidance for healthcare providers through a quick step-by-step manual and easy online training.

Our manual contains nine steps you need to complete to become compliant. And, our online staff training program meets the ruling’s mandate to train each staff member on the regulation (including physicians). You can even add your organization’s ID Theft Prevention Policy to our online course.

Additional Resources

Download BridgeFront’s free Red Flags Rule white paper by clicking here.

Read an article by the FTC on how healthcare providers must comply by clicking here.

Visit the BridgeFront web site, or contact us directly by phone at 866-447-2211 or send an email to info@bridgefront.com.

Are new business associate agreements needed with the coming HITECH deadline?

This is probably the most common question I get asked these days. There are two camps of thought.

1. Many business associate agreements are written with “evergreen” language that automatically incorporate any future changes to HIPAA regulations. So – you could make an argument that the HITECH changes are incorporated by reference. While technically accurate, I think it’s a risky path to take.
2. Contracts tend to be relied on when things go wrong – such as if there is a breach of PHI. In that situation, both parties will be better served if the agreement lays out specifically what should occur and where responsibilities lay. If it’s gray – you’ll spend precious time arguing over who should do what and who should pay for it. Better to have that debate now -  before the unpredictable happens.

Having an agreement discussion has the positive side effect of forcing organizations to consider the potential risks and liabilities of a breach and taking proactive steps to ensure the risk is minimized in the first place – which is a good thing for everyone.

For specific information concerning the upcoming HIPAA changes, here are a few resources -

• HHS HITECH Act Enforcement Interim Final Rule>>>

• HHS HITECH Breach Notification Interim Final Rule>>>

• CDT Releases HITECH HIPAA Guidance>>>

To report a breach to the HHS, go to: http://transparency.cit.nih.gov/breach/index.cfm.

Learn about our HIPAA training and learning services by going to: www.hipaarx.net.

Please send questions and comments to info@hipaarx.net or call 866.447.2211.