Nuesoft Website  |  Blog Home  |  Contact Information

The “red flags” rule is now scheduled to take effect on June 1, 2010, after another delay announced earlier this week by the Federal Trade Commission as it considers new legislation that would exempt small businesses, including medical practices, from compliance. The rule mandates the creation of identity theft prevention programs, and will apply to any organization that can be considered a creditor with “covered” accounts (i.e.-commercial accounts that involve multiple transactions). Most providers, many medical billing companies and some health plans are expected to comply.

The American Medical Association, American Academy of Family Physicians and other industry groups have weighed in against the rule, on the basis that physicians do not meet the definition of creditors. A completely sensible argument. But medical practices need to proactively engage in some agreed-upon set of identity theft prevention practices. It’s in the best interest of consumers, not to mention practice owners, who’ll otherwise pay the price through legal costs, or through the provision of services for which they would never collect payment. Incidences of medical identity theft are increasing – enough to raise the gander of the government, which commissioned a study to assess and evaluate the scope of the problem. And smaller medical practices (which account for nearly 80 percent  of all U.S. practices) may be more vulnerable, as thieves could perceive them to be lower risk targets based on the assumption that they lack the sophisticated security procedures of hospitals or larger health care organizations.

Despite the widespread outcry from industry groups, the actual impact on a practice for complying with the red flags rule may be minimal. The new rule would simply buttress state privacy laws that already require health care organizations to respond to breaches of certain patient information. In addition, there is a great deal of overlap between the proposed FTC regulations and HIPAA, which applies to medical practices or other entities that are conducting electronic transactions.

Medical practices concerned about compliance can learn more at: http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm or http://www.ama-assn.org/ama1/pub/upload/mm/368/red-flags-rule-edu.pdf.