Hospitals Struggling to Comply With Red Flags Rules

A nationwide survey of health care executives released today by Identity Force indicates that approximately 80 percent of hospitals are still not in compliance with federal Red Flags Rules that require businesses and organizations to create identity theft prevention programs. The Federal Trade Commission has set May 1, 2009 as the enforcement deadline for the new regulations. The survey also found that 63.3 percent of facilities have data breaches each year, with 18.8 percent reporting 10 or more breaches annually.

Health care companies are among creditors and financial institutions that must comply with federal regulations designed to prevent identity theft, which claimed 8.3 million U.S. victims last year, according to the Federal Trade Commission. Approximately 11 million companies must comply with the Red Flags Rules, according to SC Magazine. Non-compliance puts facilities at risk for regulatory action, including fines of up to $11,000 per day. The facilities with the highest risk will include those that suffer data breaches.

“It is evident that hospitals are struggling to comply with Red Flags Rules. Medical identity theft and data breaches are increasing, yet compliance efforts are woefully behind schedule,” said Steven Bearak, CEO of Identity Force, the top provider of identity theft solutions to the federal government. According to Bearak, the state of non‐compliance is due either to the fact that compliance with the standards set forth by Red Flags Rules to protect patients from identity theft is not a high priority, or it is too complex a task for mid‐ to large‐sized hospitals to satisfy internally.

Key Findings in Identity Force’s “Red Flags Rules: Hospital Compliance Report”

• Only 17.5 percent of hospitals reported that they were in compliance with Red Flags Rules.
• Of the 82.5 percent not yet in compliance, 52.7 percent indicated that they were working towards compliance, and 24.3 percent said that they were still evaluating options.
• Questions remain about the completeness of Red Flags Rules programs, even at facilities that are in compliance or “in the final stages.”
• 63.3 percent of hospitals reported that they experience at least one data breach yearly, and 18.8 percent reported that they experience 10 or more data breaches annually.
• The findings indicate that data breaches may be under‐reported by hospitals, which also brings into question the level of compliance with data breach notification laws that are in place in 44 states.

The online survey was conducted with hospital executives between March 24 and 30, 2009, just four weeks before the Red Flags Rules enforcement deadline of May 1. Seventy-four hospitals from thirty‐four states participated in the study. Respondents included Chief Privacy Officers, Chief Financial Officers, Chief Information Security Officers, Chief Information Officers, Compliance Officers and their director‐level equivalents.

The Red Flags Rules, developed as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003, require organizations to devise written programs to spot warning signs of identity theft, take steps to prevent it and to reduce the damage that results. The prevention programs allow businesses and organizations to recognize suspicious patterns and act before they become identity theft incidents. Effective programs also help businesses avoid absorbing unpaid balances that will never be recovered.