- HIPAA Update - http://blogs.hcpro.com/hipaa -

President signs Red Flags Rule bill

President Obama Saturday signed the bill [1] that changes the Red Flags Rule’s definition of “creditor” and relieves some physicians of having to comply with the Federal Trade Commission’s identity theft prevention law.

Earlier in the month, the House and Senate passed the bill—“Red Flag Program Clarification Act of 2010.” [2]

The enforcement date for the Red Flags Rule is Dec. 31, 2010. The FTC said earlier this year on its website that it delayed enforcement at the request of Congress as it “considers legislation that would affect the scope of entities covered by the rule.” Compliance date was November 1, 2008.

Red Flags calls for “creditors” to establish a program to protect patients from medical identity theft.

The bill included changes to the FTC’s definition of “creditor.” Smaller entities such as physician practices and doctor’s offices have long debated they should be let off the hook from complying. Some have filed lawsuits.

Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, says the law doesn’t actually “remove physicians from the Red Flags Rule.” It clarifies in a reasonable way, he says, what a “creditor” is.

“I think the FTC went way overboard with their definition of ‘creditor’ including anyone who takes payment after providing the service,” Drummond says. “Taken to its logical extreme, McDonalds and Burger King are not creditors, but Chili’s is. So, it’s a good change to rein in an overbroad regulatory agency.”

Some physicians will still be creditors; plastic surgeons and lasik surgeons, for example, if they take payments over time from their patients.

Drummond adds it’s not that hard to establish an identity theft prevention program, as the Red Flags Rule require; doctors have to have HIPAA programs in place anyway.

“It’s just good practice, and good customer service, to have an ID theft prevention program in place,” Drummond says. “So, even if you don’t have to, you ought to.”