Physicians exempt from Red Flags identity theft rule (updated)

Article updated Dec. 10, 2010

When it comes to complying with the federal government’s Red Flags Rule, physicians are off the hook. Congress passed legislation yesterday exempting physicians from the identity theft protection law.

Doctors’ groups, including the AMA and several specialty organizations, have lobbied aggressively to ensure that healthcare providers were not included under the law. The efforts, it turns out, were successful.

Currently, the Federal Trade Commission has determined that providers should be considered creditors, meaning they’d be covered under the rule, which requires they show a process for detecting identify theft red flags, preventing and responding to identity theft, and for keeping the program up to date. Practices that regularly bill patients after the completion of services or set up payment plans were to be considered creditors.

The compliance deadline for the rule, which is separate from HIPAA privacy rules, was pushed back several times, and there was considerable confusion in the healthcare provider community about who is covered.

This new legislation clarifies who is considered a creditor, excluding from the definition businesses “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person,” according to an advisory from business and litigation law firm Davis Wright Tremaine.

The definition appears to exempt some providers, the firm stated, but many providers might still be considered creditors even with this clarification legislation. Further, the FTC has previously singled out providers as among those covered under the Red Flags rule. The firm noted that the FTC and other relevant regulatory agencies can extend the regulation to cover businesses that face a reasonable risk of identity theft. "Health care providers will have to stay tuned to see how those agencies, and most notably the FTC, will respond to this invitation to weigh-in on application of the Red Flags Rule,” the firm’s Helen E. Ovsepyan, Paul T. Smith, and Rebecca L. Williams wrote.

The AMA lauded the new legislation. "New legislation passed by Congress sheds some much needed light on who is considered a creditor under the red flags rule,” AMA president Cecil B. Wilson, MD, said in a statement. “The AMA has worked closely with FTC officials and Congress and is engaged in a lawsuit with other physician groups to get the FTC to permanently remove physicians from the scope of the red flags rule. … We hope that the FTC will now withdraw its assertion that the red flags rule applies to physicians.”

It’s still a good idea to take some of the necessary privacy protection steps in your practice, even if it’s not required. For example, double check every patient’s ID to make sure it is indeed the right patient, and that it is not expired. Also, separate clinical and financial information. For more, check out this article.

Were you concerned about the Red Flags rule? Had you started taking steps to comply? Tell us about it here.