Hospitals Struggling to Comply With Red Flags Rules

FRAMINGHAM, Mass.--(BUSINESS WIRE)--A nationwide survey of health care executives released today by Identity Force indicates that approximately 80 percent of hospitals are still not in compliance with federal Red Flags Rules that require businesses and organizations to create identity theft prevention programs. The Federal Trade Commission has set May 1, 2009 as the enforcement deadline for the new regulations. The survey also found that 63.3 percent of facilities have data breaches each year, with 18.8 percent reporting 10 or more breaches annually. A copy of the report can be found at www.identityforce.com/redflagsrulesreport.pdf.

Health care companies are among creditors and financial institutions that must comply with federal regulations designed to prevent identity theft, which claimed 8.3 million U.S. victims last year, according to the Federal Trade Commission. Approximately 11 million companies must comply with the Red Flags Rules, according to SC Magazine. Non-compliance puts facilities at risk for regulatory action, including fines of up to $11,000 per day. The facilities with the highest risk will include those that suffer data breaches.

"It is evident that hospitals are struggling to comply with Red Flags Rules. Medical identity theft and data breaches are increasing, yet compliance efforts are woefully behind schedule," said Steven Bearak, CEO of Identity Force, the top provider of identity theft solutions to the federal government. According to Bearak, the state of non compliance is due either to the fact that compliance with the standards set forth by Red Flags Rules to protect patients from identity theft is not a high priority, or it is too complex a task for mid to large sized hospitals to satisfy internally.

Key Findings in Identity Force's "Red Flags Rules: Hospital Compliance Report"

• Only 17.5 percent of hospitals reported that they were in compliance with Red Flags Rules.
• Of the 82.5 percent not yet in compliance, 52.7 percent indicated that they were working towards compliance, and 24.3 percent said that they were still evaluating options.
• Questions remain about the completeness of Red Flags Rules programs, even at facilities that are in compliance or "in the final stages."
• 63.3 percent of hospitals reported that they experience at least one data breach yearly, and 18.8 percent reported that they experience 10 or more data breaches annually.
• The findings indicate that data breaches may be under reported by hospitals, which also brings into question the level of compliance with data breach notification laws that are in place in 44 states.

The online survey was conducted with hospital executives between March 24 and 30, 2009, just four weeks before the Red Flags Rules enforcement deadline of May 1. Seventy-four hospitals from thirty four states participated in the study. Respondents included Chief Privacy Officers, Chief Financial Officers, Chief Information Security Officers, Chief Information Officers, Compliance Officers and their director level equivalents.

The Red Flags Rules, developed as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003, require organizations to devise written programs to spot warning signs of identity theft, take steps to prevent it and to reduce the damage that results. The prevention programs allow businesses and organizations to recognize suspicious patterns and act before they become identity theft incidents. Effective programs also help businesses avoid absorbing unpaid balances that will never be recovered.

Identity Force offers identity theft protection, compliance and data breach prevention services to businesses, hospitals, higher education and government agencies, and recently launched its Merchant Protection Program to help small businesses guard against data breaches and help consumers identify businesses taking a proactive approach to data protection. More information on complying with Red Flags Rules can be found by visiting www.identityforce.com/ProtectBusiness.php.

"Regardless of the letter of the law, identity theft and data breaches are clearly inevitable at our nation's hospitals. Administrators must take appropriate action or face significant financial risk and reputation damage," said Bearak. "Complying with new laws and regulations and protecting patients is not an option; it is a necessity for organizations that want to survive in our new economy."

About Identity Force

Identity Force is a leading provider of complete, 360° proactive identity theft protection for individuals, businesses and government agencies. Identity Force was launched in 2005 as a response to the dramatic increase in identity theft crimes in the United States. A division of Bearak Reports, Inc. which was founded in 1992, Identity Force draws on broad, deep expertise in information verification services for its complete, proven approach to identity theft protection. Identity Force's corporate office is located in Framingham, Massachusetts. For more information about Identity Force, call 1-877-IDFORCE or visit www.identityforce.com to learn more.