An author on Red Flags Rule compliance tells HealthLeaders Media that eliminating small practices from complying with the FTC's identity theft prevention program regulation would lead to more identity violations.
In December 2009, the U.S. District Court issued a summary judgment in favor of the American Bar Association that said the Red Flags Rule does not apply to attorneys or law firms.
Piggybacking off that decision, a group that includes the American Dental Association, American Medical Association, American Osteopathic Association, and the American Veterinary Medical Association wrote a letter to the FTC urging it to remove them from compliance. Also, the House passed a bill last year that calls for removing entities with 20 or fewer employees from Red Flags Rule compliance.
The FTC's compliance date with Red Flags has been in effect for nearly a year and a half (November 1, 2008). The enforcement date, however, has been delayed four times. It is now June 1, 2010.
Randy Berry, BA, CPA, financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, says it would be unfortunate if entities with 20 or fewer employees are let off the compliance hook.
"Smaller businesses with small multi-tasking staffs have fewer controls and are more at risk than that of larger businesses with a larger staff size," says Berry, author of the Red Flag Manual and Training CD Package. "Small businesses are more prone to customer identity theft."
The FTC is fighting back to get smaller entities to comply. On February 25, FTC filed a notice that appeals the U.S. District Court's December judgment in favor of the ABA's stance that attorneys and law firms are not considered "creditors," per the FTC's Red Flags Rule definition. (All "creditors" must comply).
"We are disappointed that the Federal Trade Commission has decided to appeal its loss of the Red Flags litigation in the District Court," ABA President Carolyn Lamm said on the ABA's Web site.
However, Berry says recent FTC research identified the severe problem of organizations not ensuring that their business associates (BAs)/service providers have adequate identity-theft safeguards in place within their software systems and networks for peer-to-peer (P2P) file sharing.
Berry cited "improper release or theft of an individual's personal financial information" as the core reason behind the Red Flags Rule.
"Continual delaying the enforcement of the Red Flags regulations jeopardizes tens of thousands of individuals' personal financial information," Berry says. "This confidential personal financial information is potentially being transmitted across non-secured networks between a business and their business associates/service providers, which also may have weak internal controls programmed into its P2P software."
The responsibility to comply, Berry says, should be on the BAs/service providers to add identity theft prevention safeguards to their software program and to add more security features to their networks.
Agreements with BAs and service providers should include requirements for the BAs, Berry says, "to take adequate safeguards to ensure that the businesses' customer's personal financial information is secured along with the customer's personal health information as required by HIPAA."
Pages
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.