Congressmen filed a bill October 8 that would exempt a healthcare practice with 20 or fewer employees from the FTC's Red Flags Rule requirement.
The Red Flags Rule, which will be enforced starting November 1, 2009, requires healthcare entities considered to be "creditors" to implement an identity theft prevention program.
Further, the bill, filed by John Herbert Adler (D-NJ), Paul Collins Broun, Jr. (R-GA), and Mike Simpson (R-ID), lets off the hook an entity that:
- Knows all of its customers or clients individually
- Only performs services in or around the residences of its customers
- Has not experienced incidents of identity theft and identity theft is rare for businesses of that type
The FTC would determine if a business meets these criteria.
But some industry experts do not think the new bill is a necessary addition to the rule.
Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says it does not make sense because it affects a great number of physician offices.
"This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice," Ruelas says. "But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care."
Ruelas adds he does not "see a correlation between the objective of the Red Flag Rules and the size of an organization, which would support smaller organizations to be excluded."
If the bill passes, it would remove a large burden for small facilities to comply, says William M. Miaoulis, CISA, CISM, of Phoenix Health Systems, whose corporate offices are located in Texas, Maryland, and Hawaii.
However, it should not eliminate the need to protect patients' identity.
"Identity theft can certainly occur at organizations of any size and all organizations should take steps to enhance security and minimize the threat of identity theft," Miaoulis says. "Removal of the stringent requirements of the Red Flag Rules for small organizations would remove the burden of meeting the specifics of the rule, but should not eliminate the need for them to consider identity theft prevention."
John C. Parmigiani, MS, BES, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says the bill mirrors HIPAA with small providers with less than 10 people who do not file claims electronically.
"I still believe the major determinant is whether the provider is a 'creditor,' not its size or if it knows everybody that it deals with," Parmigiani says. "Of greater concern is how it is protecting the digital information of the patient to whom it extends credit.