President Obama signed into law a bill that clarified the term "creditor" in the Red Flags Rule, excluding doctors and other small businesses, on Saturday.
Red Flag Program Clarification Act of 2010 (Bill, S. 3987) sponsored by Senators John Thune (R-SD) and Mark Begich (D-AK), was scheduled to go into effect on Dec. 31. It was first introduced in the Senate on Nov. 30 and unanimously passed on the same day. The Senate passed the bill by voice vote on Dec. 7.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
The Red Flag Program Clarification Act clarified that small businesses like doctor's offices are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.
But, as one reader told Healthcare IT News, "the problem is that there is medical identity theft. The issue of whether doctors are creditors or not is clouding the real problem. Anybody who works with physician offices knows that they do not easily accept change and sometimes will only do something if they are forced to. Letting them off the 'Red Flag' hook just gives these offices the excuse they need to ignore it." He added that it only took his office two days to create a policy and train staff.
But others, including the American Medical Association (AMA), American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC), felt the rule was "arbitrary, capricious and contrary to the law." On May 21 they filed a suit in federal court seeking to prevent the Federal Trade Commission (FTC) from extending identity theft regulations to physicians.
Leann Fox, director of Washington Advocacy and Communications, for AOA said the association and the 70,000 osteopathic physicians it represents, applauds the passage of the bill. She said that it ensures that "small physician practices do not face undue regulatory burden associated with complying with the previous definition of the Red Flags Rule."
"The Medical Society of the District of Columbia is pleased that Congress has done what the FTC has failed to do – namely clarify that the Red Flags Rule was never intended to apply to physicians and many of the other professionals that the FTC appeared to want catch in its net," said K. Edward Shanbacker, executive vice president, Medical Society of the District of Columbia.
"When the original law was passed in 2003, there was no legislative intent to place an additional regulatory burden on physicians. Rather, it was an attempt to deal with the growing problem of identity theft as a result on records kept by creditors such as banks, credit card companies and payday lenders," said Shanbacker. "The FTC chose the broadest possible interpretation, despite the fact that physicians already have protections in place to guard against identify theft of patient information as required by HIPAA."
"I don't understand the hassle with the red flags compliance, it is just good business," said Linda Foley, founder of the Identity Theft Resource Center, a national victim assistance and public education organization established in response to an epidemic rise in identity theft crimes. However, that said she acknowledges that they do provide a good argument in that physicians, unlike hospitals, rarely have to extend credit by setting up a system where patients pay monthly, because the bills are generally smaller.
"I am glad to see things moving forward and that there are no more obstacles," she said.
Foley advises physicians not to use this as an excuse for not examining how they handle personal information and making it a part of their working policy. "I hope there is still a concerted effort to use best practice and protect personal information," she said.