The Federal Trade Commission issued a 17-page how-to guide to help organizations comply with new privacy measures required under what is called the red flags rule. The ruleset to be enforced beginning May 1 following a six-month reprieveis directed at creditors and financial institutions and last year surprised hospitals and physicians when it became clear it would apply to them (Print subscription required).
The rule, which stems from the Fair and Accurate Credit Transactions Act of 2003, requires covered entities to have written policies that specify indicators, or red flags, of identity theft and procedures to detect and respond to them. The FTC interprets the law to apply to any organization that allows deferred payment for services, including when hospitals establish payment plans for patients unable to pay their bills or when physician practices and hospitals collect billing information and copayments and then bill patients later for the balance they owe.
The FTC in February rebuffed an effort by the American Medical Association and other physician associations to argue their members should not have to comply with the rule. An electronic version of the new guide is available at the FTCs Web site.