Are You Prepared for the May 1 Deadline?

The Federal Trade Commission's (FTC) deferred enforcement of the Red Flags Rules (Rules) will expire on May 1, 2009, and those affected by the Rules should ensure that they have an appropriate Red Flags Program in place.

In November 2007, the FTC, jointly with other federal financial institution regulatory agencies, issued the Rules under the Fair and Accurate Credit Transactions Act, which amended the Fair Credit Reporting Act (FCRA). The Rules require many businesses, including healthcare providers, to take measures to combat identity theft if they provide a product or service for which a consumer pays after delivery.

The Rules require covered businesses to develop and implement a written identity theft prevention program (Program) to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of accounts.

Enforcement may be in the form of civil monetary penalties up to $2,500 per violation. State attorneys general can seek injunctive relief in addition to damages. Additionally, victims of identity theft may be able to bring claims under other theories of liability, such as private torts and through state identity theft laws, which may lead to substantial damages.

FTC Releases Health Breach Notification Proposed Rule

On April 16, 2009, the FTC proposed a comprehensive set of rules regarding privacy, security and breach notification requirements for vendors of personal health records and related entities (Vendors) pursuant to the American Recovery and Reinvestment Act of 2009.

Globally, the proposed rule requires Vendors to notify consumers following a breach. The proposed rule also requires that a Vendor’s service providers, if they experience a breach, must notify a senior official of the Vendor, and that official must acknowledge the notice. The Vendor must, in turn, notify its consumers of its service provider’s security breach. The proposed rule broadly defines a "breach" as the acquisition of unsecured personal health record identifiable health information without the individual patient's authorization, including unauthorized downloading by a provider’s employee.

If a breach has occurred, Vendors are required to notify the affected consumers and the media (if more than 500 consumers in a state or jurisdiction are affected) without unreasonable delay after they learn or should have learned of the breach. Vendors also must notify the FTC in many cases. The FTC will post the breach information on its website and notify the Secretary of the U.S. Department of Health and Human Services (HHS). The proposed rule also contains additional requirements governing the timing, method and content of a breach notice.

Comments on the proposed rule must be submitted to the FTC by June 1.