Small Providers May Not Have to Deal With Red Flags Rule

Congressmen filed a bill October 8 that would exempt a healthcare practice with 20 or fewer employees from the FTC's Red Flags Rule requirement.

The Red Flags Rule, which will be enforced starting November 1, 2009, requires healthcare entities considered to be "creditors" to implement an identity theft prevention program.

Further, the bill, filed by John Herbert Adler (D-NJ), Paul Collins Broun, Jr. (R-GA), and Mike Simpson (R-ID), lets off the hook an entity that:

• Knows all of its customers or clients individually
• Only performs services in or around the residences of its customers
• Has not experienced incidents of identity theft and identity theft is rare for businesses of that type

The FTC would determine if a business meets these criteria.

But some industry experts do not think the new bill is a necessary addition to the rule.

Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says it does not make sense because it affects a great number of physician offices.

"This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice," Ruelas says. "But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care."

Ruelas adds he does not "see a correlation between the objective of the Red Flag Rules and the size of an organization, which would support smaller organizations to be excluded."