President Barack Obama has signed into law a bill that clarifies the term "creditor" in the Red Flags Rule, excluding doctors and other small businesses.
The Red Flag Program Clarification Act of 2010 (Bill, S. 3987) sponsored by Sens. John Thune (R-S.D.) and Mark Begich (D-Alaska), was scheduled to go into effect on December 31. It was introduced in the Senate on November 30 and unanimously passed on the same day. The House passed the bill by voice vote on December 7.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the Federal Trade Commission and other agencies to develop regulations requiring creditors and financial institutions to address the risk of identity theft. The resulting rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
The Red Flag Program Clarification Act clarifies that small businesses like doctor's offices are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.
The issue has become a hot topic of debate. In a note to Healthcare IT News, one reader said, "the problem is that there is medical identity theft. The issue of whether doctors are creditors or not is clouding the real problem. Anybody who works with physician offices knows that they do not easily accept change and sometimes will only do something if they are forced to. Letting them off the 'Red Flag' hook just gives these offices the excuse they need to ignore it." The reader added that it only took his office two days to create a policy and train staff.
Others, including the American Medical Association, American Osteopathic Association and Medical Society of the District of Columbia, say the rule is "arbitrary, capricious and contrary to the law." On May 21, they filed a suit in federal court seeking to prevent the FTC from extending identity theft regulations to physicians.
Leann Fox, director of Washington Advocacy and Communications, said the association and the 70,000 osteopathic physicians it represents applaud the bill. She said it ensures that "small physician practices do not face undue regulatory burden associated with complying with the previous definition of the Red Flags Rule."
"The Medical Society of the District of Columbia is pleased that Congress has done what the FTC has failed to do – namely, clarify that the Red Flags Rule was never intended to apply to physicians and many of the other professionals that the FTC appeared to want to catch in its net," said K. Edward Shanbacker, executive vice president of the Medical Society of the District of Columbia.
"When the original law was passed in 2003, there was no legislative intent to place an additional regulatory burden on physicians. Rather, it was an attempt to deal with the growing problem of identity theft as a result on records kept by creditors such as banks, credit card companies and payday lenders," said Shanbacker. "The FTC chose the broadest possible interpretation, despite the fact that physicians already have protections in place to guard against identify theft of patient information as required by HIPAA."