The Identity Theft Red Flags Rule has been narrowed; health care organizations no longer must comply thanks to a new Red Flag Clarification Act

In a colloquy in support of the bill, Sen. Christopher Dodd, D-Conn., said the legislation “makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably forseeable risk of identity theft.

That last sentence sounds like a big one. What is a reasonably forseeable risk of identity theft? Can health care providers be expected to reasonably predict the risk of identity theft if they do not develop and implement an Identity Theft Prevention Program (as required by the Red Flags Rule)? The exception was a political move to lessen the regulatory burden on businesses, but it is not clear if it also was due to confidence with the information security practices at health care providers.