Congress has passed a bill that exempts doctors and other providers from the Federal Trade Commission's Red Flags Rule, which would have required them to develop and implement written identity theft prevention programs.
The bill was awaiting President Barack Obama's signature as Healthcare IT News went to press. The rule was scheduled to have gone into effect on Dec. 31.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring creditors and financial institutions to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
According to officials, the bill was introduced on November 30, and the Senate unanimously passed S. 3987, the Red Flag Program Clarification Act of 2010, that day. The bill clarifies that small businesses, such doctors' offices, are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.
This is different than a bill that was introduced May 25 by Sens. John Thune (R-S.D.) and Mark Begich (D-Alaska). That bill called for "excluding any healthcare practice, accounting practice or legal practice with 20 or fewer employees from the meaning of creditor subject to Red Flag Guidelines regarding identity."
Some experts disapprove of the changes being considered. Pam Dixon, founder of the World Privacy Forum, a nonprofit, public interest research group, sees the original bill as "appropriate rule-making."
"I don't see a good reason for physicians to not want to do this. It ultimately helps both patients and physicians, by protecting both parties," she said.
She said it is "incredibly important" to have an identity theft plan in place, and despite what providers might assume, it doesn't require buying expensive hardware. "You should be able to plug it into HIPAA compliance," she said.
"Red flag means that you look at your company through the eyes of a thief," said Linda Foley, founder of the Identity Theft Resource Center, a national victim assistance and public education organization established in response to an epidemic rise in identity theft crimes. She said the rule brings awareness to how organizations are using sensitive information.
Her advice: "Look at your company. Where are there financial records that could be used for theft? Develop a written policy on how you are going to control information from when it enters to when it leaves and beyond." For example, she asked, "How are you going to get rid of your information?"