Standards, Regulations & Compliance

Senate Passes Red Flags Exemptions

Physicians, Other Service Providers Would Not Have to Comply
Senate Passes Red Flags Exemptions
The Senate, by unanimous consent, on Tuesday approved legislation that its sponsors say would exempt "small businesses," including physician practices, from the Identity Theft Red Flags Rule. The bill now goes to the House, which approved similar legislation last year.

Sens. John Thune, R-S.D., and Mark Begich, D-Alaska, introduced the measure, S 3987. Unlike an earlier bill the two senators introduced in May, the latest version approved by the full Senate does not spell out that certain professionals with 20 or fewer employees are exempt. Instead, it uses more general terms to more narrowly define the term "creditor" so that, in effect, far fewer organizations must comply with the Red Flags Rule.

Red Flags Exemptions

In a colloquy in support of the bill, Sen. Christopher Dodd, D-Conn., said the legislation "makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably forseeable risk of identity theft."

Begich added: "This legislation makes clear that these small businesses should not be swept under the Red Flags Rule in the future just because they allow payment to be deferred. ..."

The Federal Trade Commission has postponed enforcement of the Red Flags Rule several times. Lawsuits on behalf of attorneys as well as physicians seeking to block the FTC from applying the rule to these professionals are pending.

Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft. The rule applies, for example, to banks and federally-chartered credit unions, which are examined for Red Flags compliance by their federal regulators.

Who Does Red Flags Cover?

Under S 3987, creditors that must comply with the rule would no longer include those who "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."

Creditors that must comply, under the bill, are those that obtain and use consumer reports in connection with a credit transaction and furnish information to consumer reporting agencies. Also included are so-called payday loan companies that don't necessarily use consumer reports, according to a staffer for Sen. Begich.

Don Asmonga, government relations manager for the American Health Information Management Association, said the bill apparently would exempt hospitals as well as physicians. He said he interprets the bill's language to mean "If a hospital does not regularly request credit reports, then they would be exempt from the Red Flags Rule."

"The Tune-Begich bill narrows the applicability to cover those creditors where identity thieves can do the most harm," a member of Begich's staff said.

In the colloquy, Thune said, "Any other type of creditor may only be covered through a rulemaking based upon an agency's determination that these type of creditors offer or maintain accounts that pose a reasonably foreseeable risk of identity theft."

The FTC supported the legislation, the Begich staffer said, along with the U.S. Chamber of Commerce, the American Dental Association, American Bar Association and American Institute of Certified Professional Accountants. An FTC spokesman declined to comment on the legislation.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.