Hospitals struggle to comply with federal identity theft rules

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

Approximately 80 percent of U.S. hospitals are still not in compliance with federal Red Flags Rules that require businesses and organizations to create identity theft prevention programs, according to a nationwide survey of healthcare executives released by Identity Force.

The Federal Trade Commission has set May 1 as the enforcement deadline for the new identity theft regulations that went into effect Nov. 1, 2008. The online survey was conducted among hospital executives from March 24-30 and included chief privacy officers, chief financial officers, chief information security officers, chief information officers, compliance officers and their director-level equivalents.

The report noted that under the Red Flags Rules, many doctors officers, hospitals and other healthcare providers "are required to spot and heed the red flags often can be the telltale signs of identity theft."

The survey also found that 63.3 percent of facilities have data breaches each year, with 18.8 percent reporting 10 or more breaches annually.

Non-compliance with the Red Flags Rules puts facilities at risk for regulatory action, including fines of up to $11,000 per day. The facilities with the highest risk will include those that suffer data breaches, according to Identity Force.

Additional findings from the report include:
• Only 17.5 percent of hospitals reported that they were in compliance with Red Flags Rules;
• Of the 82.5 percent not yet in compliance, 52.7 percent indicated that they were working towards compliance, and 24.3 percent said that they were still evaluating options;
• 63.3 percent of hospitals reported that they experience at least one data breach yearly, and 18.8 percent reported that they experience 10 or more data breaches annually; and
• The findings indicate that data breaches may be under?reported by hospitals, which also brings into question the level of compliance with data breach notification laws that are in place in 44 states.

Identity Force offers identity theft protection, compliance and data breach prevention services to businesses, hospitals, higher education and government agencies.

A copy of the report can be found at