Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Should Health Care Providers Bother with Red Flags?

Posted in Medical Identity Theft

    Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009.  The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.  Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement.  If the ABA were to go down that route, others could follow suit (excuse the pun). 

     So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . .  but should they?

     In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers’ compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care.  In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this. 

     The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider – and, thus, should be manageable, both from an administrative and financial standpoint.   On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized.  The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem. 

     To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.