Red Flags: What Now?
A bill now pending in the U.S. Senate, similar to one passed by the House 400-0 last year, would exempt healthcare, accounting and legal practices with 20 or fewer employees. The exemption would apply to physicians, dentists, podiatrists, chiropractors, several types of therapists and veterinarians.
Meanwhile, the Federal trade Commission (FTC) has delayed for the fifth time enforcing the rule until Congress sorts through the issue of precisely which organizations must comply. The FTC had been slated to begin enforcement June 1.
Healthcare organizations should already have the policies and practices in place to address the issue of financial identity theft."
Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.
Earlier, the American Medical Association and two other physician groups filed a lawsuit seeking to prevent the FTC from applying the rule to doctors. They argued the rule is unnecessary because physicians already face the considerable burden of complying with the HIPAA privacy and security rules.
And that point has some validity, especially given the limited resources of smaller clinics. But surely the Mayo Clinic can afford to add one more compliance program.
Some observers, in fact, argue strongly that large healthcare organizations, which already have compliance departments, should have taken steps by now to comply with the Red Flags Rule.
In a recent interview, Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash, argued that complaining about the Red Flags Rule is a waste of time "because healthcare organizations should already have the policies and practices in place to address the issue of financial identity theft."
He notes that many states already have regulations in place that are very similar to the Red Flags Rule. "And having a program in place to detect ID theft should be routine for any size organization," he argued.
Although some of the steps involved in complying with the Red Flags rule are somewhat redundant with HIPAA requirements, "if you have a compliance program in place already, adding one extra component to it is reasonable," Paidhrin said. "If you offer credit, you should be looking out for fraud, waste and abuse."
In an earlier blog, I noted that Shannon Talbert, senior consultant for corporate compliance at Legacy Health System in Portland, Ore., believes that taking the fraud prevention steps that the Red Flags Rule requires "is just the right thing to do."
"At first there was a lot of huffing and puffing about the hassle of coming into compliance," she said. "But it's the right thing to do; to be proactive in protecting health information."
As for whether the Red Flags rule should apply to physicians, Talbert pointed out that the FTC has provided guidance for simple steps that smaller organizations, such as doctors' offices, can take to comply.
But I would argue that the pending Senate bill exempting smaller practices is a good idea, given these clinics' limited resources and relatively limited ability to grant credit. It will be interesting to see whether any Senators argue that certain larger physician practices also should get regulatory relief.
As for hospitals, let's face it: You're going to have to comply or face sanctions. It's only a matter of time.