FTC: New Date for Red Flags Rule

December 2009

By Mary Ellen Schneider
Elsevier Global Medical News

The Federal Trade Commission once again has delayed enforcement of the Red Flags Rule, giving physicians until June 1, 2010, to comply with new requirements aimed at preventing identity theft.

The rule, which was issued by the Federal Trade Commission (FTC) in 2007, most recently had been scheduled to go into effect Nov. 1. But this is not the first time that the FTC has delayed the enforcement date. The agency has been pushing back enforcement of the rule every few months for about a year. Most recently, the FTC issued a statement on Oct. 30 saying that it was again delaying enforcement at the request of members of Congress.

Congress has been working on a legislative solution to exempt some physician practices and other small businesses from the requirements. The House passed a bill (H.R. 3763) that would exempt physician practices with 20 or fewer employees--as well as small accounting and legal practices--from the Red Flags Rule. The Senate has yet to act on the bill.

Rep. John Adler (D-N.J.), one of the chief sponsors of the legislation, said the regulations would be burdensome and expensive for small businesses and that physician practices were not meant to be caught up in this regulation. "The Federal Trade Commission went too far and went beyond the intent of Congress," Rep. Adler said on the House floor.

The rule also is being challenged in court. On Oct. 30, the U.S. District Court for the District of Columbia ruled that the FTC cannot apply the regulation to lawyers.

Under the rule, all creditors, including physician practices, must establish a written identity theft-prevention program to protect consumers. The rule requires physician offices and other health care institutions to conduct risk assessments to determine their vulnerabilities to identity theft and respond to those risks.

The rule has raised the hackles of organized medicine. Groups such as the American Medical Association have objected, saying that it is inappropriate to classify physician practices as creditors simply because they allow patients to defer payment while the practices bill insurance companies. The Red Flags Rule also would add financial and administrative burdens on practices, the AMA said, because it duplicates existing privacy and security requirements put in place under the Health Insurance Portability and Accountability Act.

"For over a year, the AMA has continued to make the case to FTC that physicians are not creditors, and the Red Flags Rule should not apply to them--now attorneys and members of Congress are also rightly raising concern with the FTC's broad interpretation," Dr. Cecil Wilson, the AMA's president-elect, said in a statement. "The FTC's latest delay of 7 months should give them the time they need to take a good, hard look at the rule and finally revise the list of groups to which it applies."

The FTC has published a list of frequently asked questions about the rule at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm


Click here to
send us feedback