Welcome to the initiation of the SMK Consulting Services, LLC, informational blog.
I am pleased to let you all know that over the last few weeks, both the Senate and the House of Representatives passed The Red Flag Clarification Program Act of 2010 (See, S. 3987). The bill now awaits signature by the President. The legislation amends the Fair Credit Reporting Act with regard to the applicability of identity theft guidelines to creditors.
In case the Red Flags Rule is unfamiliar to you, essentially the Federal Trade Commission, or "FTC", created a very broad medical identity theft rule a few years ago that cast its net far more widely than most professionals thought necessary. It required certain board-approved policies and procedures for searching out and addressing possible or actual identity theft issues or "red flags" that came to the attention of a creditor. The FTC postponed enforcement of the Red Flags Rule multiple times, and the AMA brought suit in May 2010 arguing, in part, that physicians should not be considered "creditors" with "covered accounts" under the FTC rule simply because doctors allowed patients to pay over time.
Now, under the amendment, a “creditor” will “not include a creditor . . . that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
In a colloquy offered in support of the legislation, Sen. Christopher Dodd, D-Conn., stated that the legislation “makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.” The Clarification Act, however, still gives the FTC the discretion to determine that a creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. When is that risk "foreseeable?"
Given that HITECH and state breach notification laws still require covered entities and business associates to take great care with protected health information that they acquire, use, access, maintain, disclose, etc., this latest Clarification Act provides a break from redundant regulatory requirements, but doesn’t change an overall privacy scheme. Providers, insurers, and business associates will still need to meet the HIPAA Privacy and Security standards, and their state law mandates, to prevent medical identity theft and hopefully ward off privacy complaints to the regulators.
I am pleased to let you all know that over the last few weeks, both the Senate and the House of Representatives passed The Red Flag Clarification Program Act of 2010 (See, S. 3987). The bill now awaits signature by the President. The legislation amends the Fair Credit Reporting Act with regard to the applicability of identity theft guidelines to creditors.
In case the Red Flags Rule is unfamiliar to you, essentially the Federal Trade Commission, or "FTC", created a very broad medical identity theft rule a few years ago that cast its net far more widely than most professionals thought necessary. It required certain board-approved policies and procedures for searching out and addressing possible or actual identity theft issues or "red flags" that came to the attention of a creditor. The FTC postponed enforcement of the Red Flags Rule multiple times, and the AMA brought suit in May 2010 arguing, in part, that physicians should not be considered "creditors" with "covered accounts" under the FTC rule simply because doctors allowed patients to pay over time.
Now, under the amendment, a “creditor” will “not include a creditor . . . that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
In a colloquy offered in support of the legislation, Sen. Christopher Dodd, D-Conn., stated that the legislation “makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.” The Clarification Act, however, still gives the FTC the discretion to determine that a creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. When is that risk "foreseeable?"
Given that HITECH and state breach notification laws still require covered entities and business associates to take great care with protected health information that they acquire, use, access, maintain, disclose, etc., this latest Clarification Act provides a break from redundant regulatory requirements, but doesn’t change an overall privacy scheme. Providers, insurers, and business associates will still need to meet the HIPAA Privacy and Security standards, and their state law mandates, to prevent medical identity theft and hopefully ward off privacy complaints to the regulators.
