January 1, 2008 the Federal Trade Commission passed an identity theft regulation. The original date to comply was set for November 1, 2008 and then delayed to May 1, 2009. 

 

The regulation focuses on requiring all employers, regardless of their industry, to make a good faith effort to thwart identity theft of employees, customers, and anyone they involve in business transactions.   The compliance requirement applies to any business or individual who maintains or otherwise possesses consumer information for a business purpose.

 

The health care industry has expressed confusion relative to the difference between HIPAA and identity theft.  What is similar is the method in which every employer must comply.  What is different is the information the regulation focuses upon. 

 

HIPAA focuses on patient health information.  Red Flag focuses on the identity of individuals used for business purposes.  They include, but are not limited to, employee applications, payroll data, W-2, social security numbers, drivers licenses, and credit cards, military records, birth certificates, to name a few.

 

Employee or Customer information lost under the wrong set of circumstances may cost a company or practice:

 

• Federal and State Fines of $2500 per occurrence
• Civil Liability of $1000 per occurrence
• Class action Lawsuits with no statutory limitation
• Responsible for actual losses of Individual ($92,893 Avg.)

 

While the fines may pale in comparison to HIPAA or Graham, Leach, Biley, what glares out is the class action lawsuits that have no statutory limitation and the financial liabilities we will be held accountable for.

 

To learn more request a PDF on the topic or go to askleslie.net for the full article.