HIPAA.com has covered the provisions of the Federal Trade Commission (FTC) Red Flags Rule in earlier postings. Congressional action now exempts healthcare providers from compliance with the provisions of the Red Flags Rule.
On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010. On November 30, 2010, the Senate passed this legislation by unanimous consent. The bill has been cleared to the White House for signature.
The following information from the Library of Congress summarizes S 3987 (see http://thomas.loc.gov):
“Amends the Fair Credit Reporting Act, with respect to federal agency (red flag) guidelines regarding identity theft and the users of consumer reports, to define creditor to mean one that regularly and in the ordinary course of business: (1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnishes information to certain consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person, based on the person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.
“Includes in the definition any other type of creditor as the federal agency (banking agency, National Credit Union Administration, or the Federal Trade Commission) having authority over that creditor may determine appropriate, if the creditor offers or maintains accounts subject to a reasonably foreseeable risk of identity theft.
“Excludes from the definition of creditor, however, any creditor that advances funds on behalf of a person fro expenses incidental to a service the creditor provides to that person.”
Note: Healthcare providers as Covered Entities under HIPAA Administrative Simplification, while exempt from FTC Red Flag identity theft detection and protection provisions under S 3987, are not exempt from HIPAA and HITECH Act privacy and security rule obligations to safeguard patient identity data elements that are protected health information (PHI) identifiers.