Archive for Red Flags Rule
The House of Representatives unanimously passed a bill Tuesday, Oct. 20, that would exempt providers with fewer than 20 employees from complying with the FTC’s identity theft Red Flags Rule.
Some industry experts do not think it is necessary to exempt healthcare entities with fewer than 20 employees from compliance with the FTC’s Red Flags Rule.
Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says it does not make sense because it affects a great number of physician offices. (He cited this data)
“This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice,” Ruelas says. “But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care.”
Ruelas adds he does not “see a correlation between the objective of the Red Flag Rules and the size of an organization which would support smaller organizations to be excluded.”
If the bill passes, it removes a large burden for small facilities to comply, says William M. Miaoulis, CISA, CISM, of Phoenix Health Systems, whose corporate offices are located in Texas, Maryland and Hawaii.
However, it should not eliminate the need to protect patients’ identity.
“Identity theft can certainly occur at organizations of any size and all organizations should take steps to enhance security and minimize the threat of identity theft,” Miaoulis says. “Removal of the stringent requirements of the Red Flag Rules for small organizations would remove the burden of meeting the specifics of the rule, but should not eliminate the need for them to consider identity theft prevention.”
John C. Parmigiani, MS, BES, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says the bill is “premature” since it hasn’t passed. He says it mirrors HIPAA with small providers with less than 10 people who do not file claims electronically.
“I still believe the major determinant is whether the provider is a ‘creditor,’ not its size or if it knows everybody that it deals with,” Parmigiani says. “Of greater concern is how it is protecting the digital information of the patient to whom it extends credit.”
The House of Representatives filed a bill October 8 that would exempt “a healthcare practice with 20 or fewer employees” from the FTC’s Red Flags Rule requirement.
The Red Flags Rule, which will be enforced November 1, 2009, requires healthcare entities considered to be “creditors” to implement an identity theft prevention program.
Further, the bill lets off the hook an entity that:
- Knows all of its customers or clients individually
- Only performs services in or around the residences of its customers
- Has not experienced incidents of identity theft and identity theft is rare for businesses of that type
The FTC would determine if a business meets these criteria.
The Congressman who filed the bill are:
- John Herbert Adler (D-NJ)
- Paul Collins Broun, Jr. (R-GA)
- Mike Simpson (R-ID)
In case the Red Flags Rule has fallen off your radar, get started here.
Further, the bill lets off the hook an entity that:
Knows all of its customers or clients individually
Only performs services in or around the residences of its customers
Has not experienced incidents of identity theft and identity theft is rare for businesses of that type
The FTC would determine if a business meets this criteria.
Good thing to munch on as you think about updating or creating your Red Flags Rule policy.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!