Small Providers May Not Have to Deal With Red Flags Rule

If the bill passes, it would remove a large burden for small facilities to comply, says William M. Miaoulis, CISA, CISM, of Phoenix Health Systems, whose corporate offices are located in Texas, Maryland, and Hawaii.

However, it should not eliminate the need to protect patients' identity.

"Identity theft can certainly occur at organizations of any size and all organizations should take steps to enhance security and minimize the threat of identity theft," Miaoulis says. "Removal of the stringent requirements of the Red Flag Rules for small organizations would remove the burden of meeting the specifics of the rule, but should not eliminate the need for them to consider identity theft prevention."

John C. Parmigiani, MS, BES, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says the bill mirrors HIPAA with small providers with less than 10 people who do not file claims electronically.

"I still believe the major determinant is whether the provider is a 'creditor,' not its size or if it knows everybody that it deals with," Parmigiani says. "Of greater concern is how it is protecting the digital information of the patient to whom it extends credit.