It was announced on July 28th that the twice-delayed implementation of the Red Flags Rules for identity theft (wait for it…..) have been delayed for a third time.
This third delay sets aside the rules’ implementation from August 1, 2009 to November 1, 2009, which would be exactly one year from the original proposed implementation date of 11/1/08.
From what I’m hearing throughout the industry, the entities both most affected and least prepared for implementation of the Federal Trade Commission guidelines are medical providers. This is somewhat ironic, as it was discovered within a year of the HIPAA Privacy Rule becoming the industry standard that the greatest threat to patient privacy was identity theft from the “inside”.
Medical providers and their ancillary agents now have an additional three months to get procedures in place for the prevention of identity theft. My primary suggestion to anyone who would ask would be to run credit and background checks on all employees who interact with protected health information on a daily basis. Given the stringent nature of the Red Flags Rules, this should be standard operating procedure for all new and/or prospective employees in this capacity going forward.
Additionally, all patients should be asked for picture ID and an actual insurance card upon presentation to a clinic setting for treatment. This is a good practice to get into from a business perspective as well, as it insures that the most up-to-date information is on file and that claims are submitted to the correct entity from the get-go.
This standard is a little harder to follow in an emergency room setting, as EMTALA laws force patient treatment upon arrival regardless of ability to pay. It is suggested that hospitals design a red flag model that allows for real-time determination of the identity of the patient above and beyond what is presented by him/her and/or their representatives upon arrival to an ER for treatment.