The FAQs advise that if a provider learns that a patient may be a victim of medical identity theft, the provider should conduct an investigation, and if medical identity theft is found to have occurred, then, among other things, the provider should 1) notify everyone who accessed the patient's medical or billing records to ensure that the records are corrected, 2) assure that the provider acts in accordance with the requirements under the Fair Credit Reporting Act, which includes understanding that there is no reporting of a debt associated with a reported medical identity theft, 3) review their data security practices and report any security breaches as required under the Health Insurance Portability and Accountability Act (HIPAA), and 4) ensure that patients should be informed of their rights within the organization's Notice of Privacy Practices.
So whether or not you believe the the Red Flags Rule applies to providers, all roads lead to HIPAA and your obligation to protect patient privacy and security in a global sense. You might as well dust off that draft Red Flags Rule policy and just be ready to do the right thing regarding the PHI or EPHI you handle.
No comments:
Post a Comment