Identity Theft and the FTC’s Red Flags Rule

FTC Red Flags Alert Rule

Update: In a voice vote today, December 7, 2010, the House passed the Red Flag Program Clarification Act of 2010. The Act now goes to President Obama for signing.

On November 30, 2010, the U.S. Senate passed legislation that could exempt health care providers from the FTC’s Red Flag Rule. The Red Flag Program Clarification Act of 2010 amends the Fair Credit Reporting Act with regard to the applicability of identity theft guidelines to creditors. Under the amendment, a “creditor” will “not include a creditor . . . that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” There is an identical companion bill before the House, which is expected to pass.  The Clarification Act may lift an impending compliance burden on businesses that do not collect payment for services at the time services are rendered, where there is no reasonably foreseeable risk of identify theft. Continue reading

Hot Topics in Electronic Data Usage, Privacy and Security Webinar

The Kentucky Chamber is sponsoring a webinar on eletronic data usage, privacy and security on November 18, 2010, from 3:00 to 4:00 pm (EST)Erin McMahon, Esq., a partner with Wyatt, Tarrant & Combs, LLP, and a member of its Health Care Service Team, will talk about employer’s maintainance of privacy and security of electronic data and using it properly. The webinar will examine what data should be private on employees’ computers, some of the Web site and social media issues facing employers, the new Federal Trade Commission (FTC) Red Flags Rule, and data breaches. For more information, and to sign up, click here.

HHS Office of Civil Rights updates HIPAA Breach Website

As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage.  This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals.  The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed.  The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information.  There are currently 107 breach notifications posted, all occurring since September 9, 2009.  The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:

Continue reading

The FTC’s Identity Theft Red Flags Rule: Catching the uninsured in the act of medical services theft

Article Summary:  The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.

Continue reading >>