You may be able to Pack up your “Red Flags” Come January

It looks like the FTC may have just gotten a flag on their Red Flags play.  The FTC Red Flags rulings that have been pushed forward a couple of times over the last year may finally be at a rest for physicians. 

Per the Fair and Accurate Credit Transactions Act, any business that allows delayed payments or extends credit for services would have been required to develop and implement a written identity theft prevention program for their business or office  to help identify, detect, and respond to patterns, practices, or specific activities (otherwise known as "red flags") that could indicate identity theft.  Many thought it unfair that this should apply to physicians, dentists, pharmacists, veterinarians, lawyers and such saying that they weren’t really in the position of giving credit or reporting to credit agencies.  It has been mentioned that the FTC was trying to be too far reaching in its power and control.  It has also been said that it would cause an unusual and unnecessary burden on medical practices, especially those of single practitioners or small doctor groups. 

The Red Flags saga began back in January of 2008 when it first went into effect and has been a continual battle for health care professionals since.  The last implementation deadline, after all of this year’s extensions, was for the Red Flags to finally be mandatory on January 1st, 2011.  With the passing of S.3987, the “Red Flag Program Clarification Act of 2010”, physicians are some of those who would be exempt.  The newer scope interpretation of definition of ‘creditors’ for Red Flags purposed has been reduced exempting certain classes of professionals such as doctors, nurse practitioners, pharmacies, lawyers, accountants.  It is exempting those businesses where it is thought that identity theft poses little risk.  S.3987 has been passed by both the Congress and the Senate and only waits for President Obama’s signature to fully become law (as of last week).

Of course all of the medical professionals are breathing a sigh of relief.  It is one less thing that has to be planned, written, executed, and maintained in their offices.  With EHR and ICD-10/5010 implementation already looming heavily over their offices, this is one less straw to break their backs.

On the other hand, not everyone is happy about this.  There are many people out there who believe it is in the best interests of the offices to have an identity theft action plan in place both for them and their patients.  There are some that have even mentioned that it should somehow become part of HIPAA privacy concerns.  So, if the President signs off on S.3987 this case is at rest for now, but it may rear its head in another form later if some have their say.

If your office has a good financial policy in place, you may already be taking care of the things that would most likely “flag” as identity theft.  If not, but you want to further cover your backside or that of your patients, you could re-evaluate and strengthen your office financial policies to include “Red Flags” type provisions.  Sometimes it is still better to be safe than sorry.