The Senate has passed a bill that exempts doctors and other providers from the Federal Trade Commission's Red Flags Rule, which would have required them to develop and implement written identity theft prevention programs.
The rule is currently scheduled to go into effect on Dec. 31. The House of Representatives is expected to pass the bill during the current legislative session.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
According to officials the bill was introduced Nov. 30, and the Senate unanimously passed S. 3987, Red Flag Program Clarification Act of 2010, on the same day. The bill clarifies that small businesses like doctor's offices are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.
This is different than a bill that was introduced May 25 by Senators John Thune (R-SD) and Mark Begich (D-AK). The bill called for "excluding any healthcare practice, accounting practice, or legal practice with 20 or fewer employees from the meaning of creditor subject to Red Flag Guidelines regarding identity."
Many organizations approve of the exemption. In May, the American Medical Association, American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC) filed suit against the Federal Trade Commission charging that the FTC's rule exceeds the powers delegated to it by Congress and that its application to physicians is "arbitrary, capricious and contrary to the law."
The National Community Pharmacists Pharmacists Association expressed its approval to the Senate. "We commend Senators Begich, Dodd, Shelby and Thune for their hard work to ensure that reasonable consumer protections can go forward without unduly burdening pharmacists and other providers with unnecessary, time-consuming requirements," said NCPA Executive Vice President and CEO Kathleen Jaeger.
But others disapprove. Healthcare IT News spoke to a few in May when earlier bill S. 3416 was introduced.
Pam Dixon, founder of the World Privacy Forum, a nonprofit, public interest research group, views the rule as "appropriate rule making."
"I don't see a good reason for physicians to not want to do this. It ultimately helps both patients and physicians, by protecting both parties," she said.
She said it is "incredibly important" to have an identity theft plan in place, and despite what providers might assume, it doesn't require going out and buying expensive hardware. "You should be able to plug it into HIPAA compliance," and what you are already doing, she said.
"Red flag means that you look at your company through the eyes of a thief," said Linda Foley, founder of the Identity Theft Resource Center, a national victim assistance and public education organization established in response to an epidemic rise in identity theft crimes. She said the rule brings awareness to how organizations are using sensitive information,
Her advice, "Look at your company. Where are there financial records that could be used for theft? Develop a written policy on how you are going to control information from when it enters to when it leaves and beyond," she said. For example, she asked, "How are you going to get rid of your information?"
"With the rate of identity theft growing in U.S., it makes good business sense for someone extending credit to be cautious about risk of identity theft," added Scott Mitic, CEO of TrustedID and a national expert on identity theft and consumer credit issues.