HHS Signals More Aggressive Action on Identity Theft as FTC Rules Take Effect

Share Article

Healthcare Organizations Are Unprepared for Nov. 1 Deadline on FTC Red Flag Rule HHS Enforcement Officials, Policymakers Pondering New Effort on Identityt Theft Melamedia Audio Seminar Provides Compliance Recommendations on New Rules

The U.S. Department of Health & Human Services (HHS) is showing increasing interest in healthcare's role in fighting identity theft as new Federal Trade Commission (FTC) rules take effect on Nov. 1.

In October, both the HHS Office for Civil Rights (OCR) and the Office of the National Coordination for Health Information Technology (ONC) signaled that stronger actions to address the issues of identity theft and particularly medical identity theft are coming.

On Oct. 10, OCR said it was examining the FTC's identity theft regulations as questions have been raised over whether violations of the so-called "Red Flag" rules could also constitute violations of the HIPAA privacy or security rules. There also have been no decisions on whether OCR or CMS would refer cases to the FTC when they receive complaints in their HIPAA enforcement systems.

Many healthcare organizations are not aware that they will come under FTC authority as a result of identity theft rules that were once thought to only apply to financial institutions and other lenders.

The Red Flag rules require any organization - including nonprofits and government agencies not traditionally subject to FTC jurisdiction -- that does not require payment at the time it provides service to establish and maintain a program to spot and address possible ID theft.

In recent weeks, the FTC said the rules also applied to healthcare entities.

This interpretation by the FTC surprised healthcare organizations and many others, who thought that the regulations under the Fair and Accurate Credit Transactions Act -- a law aimed at financial institutions, credit reporting agencies and others who provide financing for products or services - did not apply to healthcare providers.

With a Nov. 1 deadline to have a compliance plan in place, healthcare organizations must take action now.

In another move underscoring the growing concern, ONC, the lead agency coordinating the effort to create a national electronic health record system, held an Oct. 15 virtual town meeting in conjunction with the FTC that focused specifically on the issue of medical identity theft and what healthcare regulators should do about the problem.

The bottom line for healthcare organizations is that they are under increasing pressure from many regulators to show they are taking appropriate steps to fight identity theft.

To help healthcare organizations and their contractors act on these issues, Melamedia, LLC, publishers of Health Information Privacy/Security Alert is sponsoring a 90-minute audio seminar:


Participants will be briefed on:

** Why the Red Flag Rules apply to healthcare;
** What the Red Flag rules require;
** Under what circumstances healthcare organizations must comply with the rules;
** Practical steps to take to comply with the Red Flag rules;
** Areas of HIPAA compliance that may provide some compliance coverage; and
** The outlook for enforcement.

Who should attend:

** Privacy Officers
** Security Officers
** Billing Professionals
** HIM Professionals
** Health Information Technology Professionals
** Healthcare Providers
** Hospitals
** Health Insurers
** Third Party Administrators
** Pharmacies
** Healthcare Attorneys and Consultants
** Government Health Services Officials
** Researchers Who Require Patient Payment for Any Service Provided in Clinical Trials

The Faculty

Robert Gellman, JD, a is privacy and information policy consultant in Washington, DC, and co-author of Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, produced by the World Privacy Forum. He served as a member of the National Committee on Vital and Health Statistics (NCVHS) from 1996-200. From 1977 to 1994, he served as a staff member and Chief Counsel of the House Government Operations' Subcommittee on Information, where he was responsible for the panel's information policy activities, hearings, oversight, legislation, and reports on general privacy matters, Freedom of Information Act, Privacy Act of 1974, health privacy, collection and dissemination of electronic data and security classification.

Gerald "Jud" DeLoss, JD is vice chair of the American Health Lawyers Association's Health Information & Technology Practice Group and a principal at Gray Plant Mooty, where his practice focuses on representing medical providers in Health Information Technology (HIT), HIPAA, medical staff credentialing, fraud and abuse, transactions, and regulatory compliance


Thursday, Oct. 30, 2008
1 pm - 2:30 pm Eastern


To register, Visit http://www.melamedia.com
call 703.704.5665
Contact: Dennis Melamed

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Visit website