The oft-delayed Red Flags Rule, scheduled to take effect November 1, may be in for a major change. A bill that passed the US House October 20 and arrived in the Senate the next day would exempt, among others, healthcare practices with 20 or fewer employees from meeting the law’s requirements.

The amendment is intended to relieve the administrative burden on small businesses.

The Red Flags Rule, part of the Fair and Accurate Credit Transaction Act of 2003, requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. As described in the rule, creditors are organizations that maintain consumer accounts that receive multiple payments or payments made in installments.

In full, HR 3763 amends the Fair Credit Reporting Act to exclude “any health care practice, accounting practice, or legal practice with 20 or fewer employees.” It also excludes any other business that the Federal Trade Commission, which oversees the rule, determines:

  • knows all its customers or clients individually;
  • only performs services in or around the residences of its customers; or 
  • has not experienced incidents of identity theft, and identity theft is rare for businesses of that type.

The proposed amendment moved easily through the House. It was introduced October 8 and was voted on without debate on October 20. There were 400 votes to approve and no votes in opposition.

The House bill was received and read in the Senate and referred to the Committee on Banking, Housing, and Urban Affairs.

The Red Flags Rule was first scheduled to take effect November 2008. The Federal Trade Commission offered several delays to provide more guidance and give businesses more time to prepare.

Provider Burden or Consumer Protection?

Rep. John Adler (D-NJ) sponsored the bill. “The Federal Trade Commission went too far and went beyond the intent of Congress by considering non-financial, service-related industries to be ‘creditors’…,” he said in a floor speech before the vote.

“Its ruling would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program.”

The American Medical Association also is opposed to inclusion of medical practices and has lobbied against it.

However, in a letter to the Senate committee chair, AHIMA argues that medical practices are already a target of identity thieves and that exempting them from the rule would motivate thieves to focus on them more.

AHIMA also noted that the bill has a much farther reach than might appear. Nearly half of physicians work in practices of six physicians or fewer, according to a 2008 report from the Centers for Medicare and Medicaid Services. At a time when medical identity theft and healthcare fraud are on the rise, the bill would exempt a large share of providers from having identity theft prevention programs.

In addition, the exemption would undermine efforts to raise awareness of identity theft and subsequent fraud within the healthcare industry, AHIMA wrote.

The Senate Committee on Banking, Housing, and Urban Affairs has yet to schedule discussion of the bill. With a full plate and the winter recess approaching, it is unclear if the committee will consider the House bill this year.

Updated Oct. 28