Home Health & Hospice Week

Privacy:

Red Flags Exemption Doesn't Give You A Pass On Safeguards

Consider keeping many of your identify theft precautions in place.

On Dec. 18, President Obama signed into law a change to the wording of who is considered a "creditor" in the government's eyes for Red Flags Rule purposes, which should let most home care providers off the hook for related identify theft protection requirements.

Background: Previously, the Red Flags Rule defined a creditor as any entity that bills a customer after rendering services. The Federal Trade Commission's website noted earlier this year that creditors included "many doctor's offices, hospitals, and other health care providers." As creditors, providers had to comply with the FTC's Red Flags Rule, which required creditors to develop programs to address identity theft prevention techniques, as well as tools to detect and deal with potential identity theft incidents.

New ruling: The "Red Flag Clarification Act of 2010" signed by the president indicates that a true "creditor" meets the following criteria:

• Obtains or uses consumer reports in connection with credit transactions;

• Furnishes information to consumer reporting agencies; and

• Advances funds to or on behalf of a person that the person will pay back later.

Now provider advocacy organizations want the FTC to specifically indicate in writing that providers are exempt from the Red Flags Rule.

Don't Abandon Your Efforts

If you've worked throughout the past year to tighten up your identity theft prevention processes, don't think that work was for naught. The provisions in the Red Flags Rule are still considered smart if you want to avoid problems, says James D. Hook, director of consulting services with The Fox Group, a healthcare consulting firm based in Upland, Calif.

Your organization is still legally responsible for protecting the confidential information that patients give to you, Hook says. If you created a Red Flags program, don't just toss it aside -- instead, continue to implement the safeguards that you put in place to protect your patients.

And you should have processes in your organization to safeguard the information that patients have given to you. Often in a medical setting, "identity theft is, unfortunately, an inside job," Hook says. "Someone might take just enough information to use a patient's identity or even take their credit card information. There isn't much you can do to defend yourself against the dishonest actions of one employee acting alone, but you do want to have at least a bare minimum outline of what you'd do in the event that you found someone has misused patient information.

Don't forget: "Also, make sure you have a plan in place when you find someone seeking treatment with a stolen identity -- for instance, notifying the real patient and, potentially, law enforcement," Hook adds.

Other Articles in this issue of

Home Health & Hospice Week

View All