President Obama did, in fact, sign the Red Flags Clarification Bill S. 3987 into law as Public Law No: 111-319 on December 18, 2010. The physicians groups are celebrating that they are not specifically covered by this particular medical identity theft act. But what does it really mean in terms of your data protection obligations?
The bill that was signed into law narrows the definition of creditor for the purposes of implementing the FTC requirements, originally intended for use by financial institutions to prevent and mitigate identity theft. But the language of the bill itself does not specifically exclude healthcare providers. Rather, it limits the definition of “creditor,” and excludes from that definition one who “advances funds to or on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
But the language still includes the broad definition of "creditor" in the Equal Credit Opportunity Act (Section 702 of 15 U.S.C. 1691a) and states that those that "regularly and in the ordinary course of business" obtain or use credit reports or furnish information to credit reporting agencies in connection with a credit transaction. It also gives the FTC the right to determine that the “creditor” offers or maintains accounts that are subject to a "reasonably foreseeable" risk of identity theft.
Sorry to be a cold bucket of water, but it seems to me that plenty of professionals of all stripes, including physicians and other healthcare providers, will still need to maintain medical identity theft policies and processes by law. Even without the "foreseeability" loophole, some hospitals file reports with consumer reporting agencies on past-due bills, which puts them squarely under the narrower FTC definition of creditor. Some practices do the same to assure the patient’s ability to self-pay, such as in plastic surgery offices. To know whether a hospital or health care practice is still subject to the Red Flags Rule, the professional or entity will have to look at its business, finance and collection activities.
But for all of you who have already put your Red Flags policy and process into place, bravo. Regardless of the slimmed-down definition of who is or is not a creditor, you are under legal obligation to protect the privacy and security of your patient’s, client’s or resident’s data. FTC definition or not, if the PHI in your control were lost or breached, you’d have medical identity theft issues, HIPAA/HITECH issues, state breach notification issues, and your professional reputation, to address. Why not have your “just-in-case” steps in place?
Keep using your common sense, and keep weaving compliance into your day-to-day business practices. You won’t regret it.
No comments:
Post a Comment