Physicians who are creditors as defined by the rule must:
What is required to comply with the Red Flags Rule?
- Develop a written program to identify, protect, and respond to possible risks of identity theft relevant to their practice and the way in which patient accounts are created and maintained in the practice.
- Periodically update the program using practice experience, changes in methods of identity theft, changes in methods of preventing identity theft, and changes in business arrangements (e.g., new outside billing or collection contracts).
- Provide oversight from owners, board of directors, or senior management, including identifying a person who will be responsible for the program’s implementation and review of reports and changes to the program.
- Require staff to create a report, at least annually, outlining the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the program.
- Take steps to ensure that service providers that conduct activities with patient accounts have reasonable policies and procedures to prevent, detect, and mitigate the risk of identity theft.
However, the details of how a practice meets these requirements may be determined by the practice based on the practice’s risk related to identity theft. For instance, a small physician practice where the physician and staff know most of their patients would need a less stringent program than a large physician practice where few patients are well known to the physicians and staff.
Identity Theft Red Flags Rule
