A complete EHR will contain not only personal health information; it will offer financial and identifying information as well. This information is valuable to a medical practice for identification, authorization, and billing. However, it can also be extremely valuable to identity thieves who can use it maliciously. Medical practices implementing EHR software will have to ensure their system will comply with standards for securing both personal health and financial information.

As of August 2009, the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) began enforcing the Red Flags Rules, which require financial institutions and creditors to implement a program to detect, prevent, and mitigate instances of identity theft.

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The program must also have a response plan in place to prevent security breaches and mitigate an adverse event should it occur.

These red flags may fall into five categories:

  • Alerts, notifications, or warnings from a consumer reporting agency;
  • Suspicious documents;
  • Suspicious personally identifying information, such as a suspicious address;
  • Unusual use of – or suspicious activity relating to – a covered account; and
  • Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

With the growing number of physicians’ offices and hospitals moving to complete EHR systems, more and more identity thieves may see a golden opportunity. The Red Flag Rules are timely, and should be considered when choosing and implementing an EHR system.

Is your system in compliance with these rules? Better slow down and check your engines…