The Red Flags Rule Doesn’t Apply to Physician and Healthcare Organizations. “Really?”

Has your medical billing consultant told you that the Red Flags Rule has been repealed for physician practices and other healthcare organizations?

Now that Congress has passed and sent to the President the Red Flag Clarification Act of 2010, it may seem tempting to write it all off as a bad dream involving over-eager regulators at the FTC.  But just because there may no longer be a mandate for a detailed compliance plan to prevent and react to possible identity theft in a physician practice or other healthcare organization, does not mean identity thieves will no longer target them as a rich source of identities ripe for stealing.

Moreover, the new law does not actually specify that physician practices or other healthcare organizations are exempt from the Red Flags Rule; it simply clarifies the definitions of a creditor in ways that most Congressmen and Senators claim exempts healthcare organizations.  The law emphasizes creditors that routinely pull credit reports on existing or potential customers or who actually advance funds to people who are obligated to repay them.  In addition, it includes any other creditor regulated by a federal agency (like the FTC), that the agency says is subject to the original legislation and regulations.  Could be a lot of wiggle room there!

The law does exempt creditors that advance funds on behalf of a person for expenses incidental to a service the creditor provides to that person.  Well, at least the congressional intent seems clear!

So what should you do with all compliance policies and procedures you drafted to comply with the Red Flags Rule?  Use them!  Your medical business still has a duty to safeguard the confidentiality of information your patients share, and an organization that had a policy and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft – but didn’t.  And then there’s also the issue of potential confusion in medical records when someone seeks and receives medical care using a stolen identity of a real patient.  This confusion will only be a bigger problem when Health Information Exchanges are making information widely available in the future.

Policies against identity theft should continue to be part of your compliance program policies and procedures.  If you have not drafted such policies yet, take the time to download some helpful guides from the FTC located right here on our website, or seek outside assistance to properly address the Red Flags Rule in your business.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.