Red Flags: Physicians Exempt from Rules Under New Law

December 8, 2010

Congress yesterday passed legislation exempting physicians' practices from abiding by so-called Red Flags Rules aimed at preventing consumer identity theft.

Well, it's beginning to feel a lot like Christmas. Because in Washington, the politicians and bureaucrats just keep on giving.

First, we learned that the big Medicare rate cut set to hit physicians' practices on Dec. 1 was delayed for a month while Congress hammered out a longer postponement. Yesterday, we learned that the longer delay -- all the way through the end of next year -- is at hand, though the sides had not yet agreed formally. We've also learned a of Medicare's plans to begin covering a new annual wellness exam and to bump primary-care physicians' pay 10 percent next year.

And now we learn that the dreaded Red Flags Rule, which requires lenders to develop plans to ensure that consumers' financial information is kept secure, will not apply to physicians, after all, thanks to legislation passed yesterday in Congress.

We've been writing about the Red Flags Rule for at least a year and a half now. The rule, separate from HIPAA patient-privacy rules (to which you are absolutely still beholden, of course), required creditors to demonstrate a protocol "for detecting identity theft red flags, preventing and responding to identity theft, and for keeping their program up to date." Under the Federal Trade Commission's interpretation, physicians had been considered creditors if they bill patients for fees not collected at the time of service -- which is to say, everyone except maybe a cash-only walk-in clinic.

Now, I still think that having a protocol for preventing identity theft and checking for so-called financial red flags is a good idea. Check out the article linked above by Sara Michael. She suggests things like checking every patient's ID, separating clinical from financial information, and looking out for "suspicious activity." Surely you can do those things.

The Red Flags Rule was (and still is, for those covered by it) about protecting consumers from identity theft. Under the new law, you needn't do anything formal to prove to the government you're complying. And that's great news. But your patients are giving you their credit cards, their bank account information, etc., and you still ought to do what you reasonably can to look out for them.