Oct

19

Experts: exemption from Red Flags Rule not necessary

By Dom Nicastro

Some industry experts do not think it is necessary to exempt healthcare entities with fewer than 20 employees from compliance with the FTC’s Red Flags Rule.

Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says it does not make sense because it affects a great number of physician offices. (He cited this data)

“This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice,” Ruelas says. “But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care.”

Ruelas adds he does not “see a correlation between the objective of the Red Flag Rules and the size of an organization which would support smaller organizations to be excluded.”

If the bill passes, it removes a large burden for small facilities to comply, says William M. Miaoulis, CISA, CISM, of Phoenix Health Systems, whose corporate offices are located in Texas, Maryland and Hawaii.

However, it should not eliminate the need to protect patients’ identity.

“Identity theft can certainly occur at organizations of any size and all organizations should take steps to enhance security and minimize the threat of identity theft,” Miaoulis says. “Removal of the stringent requirements of the Red Flag Rules for small organizations would remove the burden of meeting the specifics of the rule, but should not eliminate the need for them to consider identity theft prevention.”

John C. Parmigiani, MS, BES, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says the bill is “premature” since it hasn’t passed. He says it mirrors HIPAA with small providers with less than 10 people who do not file claims electronically.

“I still believe the major determinant is whether the provider is a ‘creditor,’ not its size or if it knows everybody that it deals with,” Parmigiani says. “Of greater concern is how it is protecting the digital information of the patient to whom it extends credit.”