Small healthcare entities are more likely to have cases of identity theft. So why exclude them from complying with a mandatory identity theft prevention program?
Randy Berry, B.A., C.P.A., financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, asks that very question.
The House of Representatives unanimously passed a bill Tuesday, October 22, that would exempt a healthcare practice with 20 or fewer employees from the FTC's identity theft Red Flags Rule requirement. The bill now moves onto the Senate.
The Red Flags Rule, which will be enforced starting November 1, 2009, requires healthcare entities considered to be "creditors" to implement an identity theft prevention program.
"The biggest concern that I have is … the smaller the practice, the less internal controls they have and the more apt the smaller practices are to have identity theft," says Berry, author of the Red Flag Manual and Training CD Package. "The most critical thing is protecting patients' identity. It's not about the doctor. It's about the patients' financial identity. The lobbyists forgot that this is not about practices; it's about patients and their customer's financial information."
The bill passed by the House last week, which was filed by John Herbert Adler (D-NJ), Paul Collins Broun, Jr. (R-GA), and Mike Simpson (R-ID), lets off the hook an entity that:
- Knows all of its customers or clients individually
- Only performs services in or around the residences of its customers
- Has not experienced incidents of identity theft and identity theft is rare for businesses of that type
The FTC would determine if a business meets these criteria.
Berry says the larger facilities already have a lot of checks and balances in place in order to prevent identity theft. It's the smaller entities that need to get on board.
"They are more lax than the larger ones with their internal controls," Berry says. "It's literally minutes per day to comply with this Red Flags Rule."