The Federal Trade Commission has pushed the clock forward on the so-called "red flags" rule deadline that could affect hospitals across the country. The deadline moves ahead six months to May 1, 2009.
Under the rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
Hospitals are likely to be subject to FTC oversight under the rule because they may meet the rule's broad definition of "creditor" and have patient accounts that fall within the scope of "covered accounts," according to the American Hospital Association.
For hospitals, the AHA says, compliance efforts will likely involve consolidating procedures into a written format and obtaining board approval of the initial written policy.
FTC officials said the deadline delay will give organizations that are not aware that the rule applies to them more time to implement identity theft prevention programs.
Federal law defines a creditor as any entity that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit.
Examples of creditors include finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies and nonprofit and government entities that defer payment for goods or services.
According to a report of the President's Identity Theft Task Force, identity theft results in billions of dollars in losses each year to individuals and businesses.
The Office of the National Coordinator for Healthcare Information Technology took up the issue in June with a $450,000 contract with consultant Booz Allen Hamilton. The project followed a rash of well-publicized privacy breaches at some of the nation's top hospitals.
Pam Dixon of the World Privacy Forum pegs incidents of medical identity theft at about 250,000 a year.
"The prevention and detection of medical identify theft, along with actions to address problems that may occur as a result of medical identity theft, are necessary steps to build consumer trust in electronic health information exchange," said Robert M. Kolodner, MD, national coordinator for healthcare information technology.
Does your hospital have a plan for preventing identity theft? What's your best advice to other healthcare organizations developing one? Send your comments to Bernie Monegain at bernie.monegain@medtechpublishing.com.