Health Information Management

Experts: exemption from Red Flags Rule not necessary

HIM-HIPAA Insider, October 26, 2009

Some industry experts do not think small healthcare entities need to be exempt from complying with the FTC’s Red Flags Rule.

The House of Representatives filed a bill October 8 that would exempt a healthcare practice with 20 or fewer employees from the FTC’s Red Flags Rule requirement.

The Red Flags Rule, which will be enforced beginning November 1, requires healthcare entities considered to be creditors to implement an identity theft prevention program.

Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says the exemption does not make sense because it affects a great number of physician offices. (He cited this data)

“This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice,” Ruelas says. “But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care.”

Read more on our HIPAA Update blog.

Most Popular