A health care practice recently asked me whether it had to comply with the Red Flag Rule now that “professionals” have been carved out of Red Flag covered entity status. The revision makes it clear that “lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flag Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.”
Unfortunately, it seems that many health care providers maintain accounts that do pose a reasonably foreseeable risk of identity theft. If anyone doubts that assertion, consider that fully two-thirds of the 18 HIPAA criminal convictions to date involve identity theft conducted with protected health information (“PHI”) maintained by a covered entity, usually patient accounts data. Thus, it seems as if it would be hard to say that a hospital, a physician practice, or the like isn’t maintaining accounts that pose a reasonably foreseeable risk of identity theft.
A strong argument exists, however, that, even if a health care provider does not have to comply with the Red Flag Rule because the provider is not a creditor under the Red Flag Rule, HIPAA requires such a provider to consider whether adoption of the security measures inherent in Red Flag compliance are reasonable and appropriate to protect their financial and demographic data from the most common HIPAA crime to date: identity theft.
The Red Flag Rule requires those subject to the Red Flag Rule to identify the “red flags” that are signs of possible identity theft and then have a plan for how to respond to the red flags to prevent or contain identity theft. Regardless of whether you have to strictly comply with the Red Flag Rule, you must perform a risk analysis and determine how to protect your financial and demographic data from identity theft.
Premium Members, log in to the Premium Member section for my article on Red Flag compliance for health care providers. It was published before the new law carving out some providers, but the discussion of possible red flags for health care entities and possible security measures to take when a red flag comes up are still good suggestions.
