Wednesday, December 8, 2010

House and Senate Pass Red Flag Exclusion

The House and Senate agreed that physicians should not be identified as creditors under the FTC regulation known as the Red Flag Rule. It now awaits President Obama's signature. That does not mean that the medical industry has dodged a bullet in its responsibilities to protect identities.

While emphasis is on HIPAA as it relates to privacy and identity theft protection, let us not forget that as much as they may be intertwined in data collection and storage requirements they are not intertwined events when used criminally. One can steal an identity and not PHI [protected health information] and vice versa. There is no criminal trafficking of PHI. There is criminal trafficking of identities. Identity theft is lucrative and desired among thieves. It's easy to steal and in medicine it is used to gain access to expensive treatments and drugs. It is also lucrative because it is a repeatable crime that only requires gaining access to the information one time and using it or selling it over and over again. Once identities are stolen it can victimize individuals for years.

PHI, if inappropriately leaked, subjects medical personnel to consequences based upon company policy and subjects the company to HIPAA violations. The harm to the patient in most cases is either embarrassment or personal damages (including possibly economic). Identity theft subjects patients to potential loss of life, limb and civil liberties because there is more than one record out on the same identity. Talk about medical errors.... How is the doctor, NP, RN, or PA charged with treating the patient going to know which is right? How is a receptionist in an ER room or doctor's office going to know? The answer is they can't know 100% for sure.

Be advised that a trend is appearing among state attorney generals that if HIPAA violations occur, they will tack on requirements to include identity restoration as part of the damages. Connecticut was the first to shoot that arrow over the bow and many more are following. Massachusetts set a law in place that if you have a Massachusetts resident doing business in your organization that you are subject to Massachusetts identity laws or don't do business with a Massachusetts resident. The same goes for treating them. So the subject of identity theft is not going away nor is the obligations to conform to state requirements and among other authorities.

While I empathize with my medical industry brethren about not wanting to duplicate or add on any more unfunded mandates than is humanly able, this is one "red flag" we simply cannot ignore. It infiltrates our communities, our schools, our jobs, and our friends and families. It costs more financial loss than HIPAA violations. It cannot be stopped only controlled. Following HIPAA guidelines in good faith is prudent. When you protect an identity you not only save the company and your jobs, but you also save people a lifetime of heart ache and you save their lives.

No comments:

Post a Comment