Well, not really repealed, but multiple exemptions were passed, and though not specific in the bill, medical practices should now be exempt.
On Tuesday the Senate approved S 3987, the latest bill dealing with Red Flag Rules. This latest version does not specify certain professionals with less than 20 employees may be exempt, but instead tries to narrow the definition by using the term “creditor”.
If Sen. Christopher Dodd’s, D-Conn., statement can be taken to heart, the all is well.
He said the legislation “makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably forseeable risk of identity theft.“
I wouldn’t jump for joy too high. Congress has never been know for making things easy.
Sen. Dodd’s use of “when they don’t offer or maintain accounts that pose a reasonably forseeable risk of identity theft” is a bit concerning.
If your office does extend “credit” to patients, it would still be wise to live by the Red Flag rules to a large extent.
Remember, under the Red Flags Rule, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as “red flags,” that could indicate identity theft.
For the most part, as long as your office follows strict HIPAA policies, you will be well covered under Red Flag. The primary difference being the need to have a process by which your office detects those Red Flag identity patterns.
Additionally, if you use a 3rd party firm to provide credit, that company should:
- Provide your office with Red Flag pattern detection policies
- Have their own internal detection processes that should cover your practice.
As with all the heavy burden regulation compliance (HIPAA, RAC, Taxes, etc) that the federal government imposes, ignoring the issue does not make it go away.