Should I purchase a manual for the Red Flags Rule?

Perhaps, but your written program must reflect the red flags identified for your practice and the policies and procedures to detect and respond to red flags that are part of the day to day operations of the practice. Most practices should be able to create a written Red Flags program by performing a basic risk assessment and incorporating the activities and policies related to identifying, protecting, and responding to risks of identity theft into their existing office procedures manual, job descriptions, and HIPAA privacy and security manuals.

For instance, a small practice may create a table (1-page Word file; About Downloading) of practice policies that support the activities for preventing identity theft and then indicate for each item the policy or action to be taken or where a related written policy already exists. This may also require development or change to some existing documents, such as amending a HIPAA Business Partner Agreement to include Red Flags rule provisions.