This past year, the Federal Trade Commission issued a set of regulations (i.e., "Red Flag Rules"), that require certain entities to develop and implement written ID theft-prevention protection programs.  One of those required entities is the category of "all healthcare providers".  Guess what?  That includes mental health providers!

You may recall that one aspect of the federal HIPAA regulations included security rules that required a clinician to notify clients if a security breach of their private healthcare information occurred in one's practice.  This type of "response" to a security breach is seen as "reactive" rather than a "preventative" strategy.

The federal government has observed that there has been an increase in identity-theft for the purpose of seeking and receiving health services by using someone else's name, and/or purchasing healthcare insurance coverage, based on someone else's clean bill of health.  Therefore, they have determined that all healthcare providers must have preventative measures in place, in addition to the earlier (HIPAA-era) reactive policies.

The term "Red Flag" refers to flagging circumstances that would indicate that identity theft may be occurring-- thus creating a proactive approach to this problem.

These Red Flag Rules become enforceable as of November 1, 2009.  While various categories of healthcare services have formally objected to these legal requirements as not relevant to certain types of treatment settings, the Federal Government has not modified the requirements.  Therefore, we remain legally obliged to comply.

Robert E. Smith, Attorney at Law, and I will be teaching a new workshop in the near future (hosted by Cascadia Training), that addresses the requirements for mental health clinicians in response to this new federal requirement.  Either check back on this website to see the schedule for this workshop, or see the "calendar" section of the Cascadia website.