The Federal Trade Commission has again delayed enforcement of the “Red Flags” rule, giving physicians until the end of 2010 before they are required to implement identity-theft prevention programs in their practices.
Enforcement of the rule had been scheduled to begin on June 1. In a statement issued on May 28, the FTC said it was delaying enforcement to give Congress time to consider pending legislation that would exclude some small physician practices and small businesses from the rule. Last year, the House passed a bill (H.R. 3763) that would have exempted physician practices with 20 or fewer employees from having to comply with the Red Flags rule, but that legislation has failed to gain traction in the Senate.
FTC officials urged lawmakers to act quickly to clarify what groups should be covered by the regulation. “As an agency we're charged with enforcing the law, and endless extensions delay enforcement,” FTC chairman Jon Leibowitz said in a statement.
The Red Flags rule was written to implement provisions of the Fair and Accurate Credit Transactions Act, which calls on creditors and financial institutions to address the risk of identity theft. The rule requires creditors to develop formal identity-theft prevention programs that would allow an organization to identify, detect, and respond to any suspicious practices, or “red flags,” that could indicate identity theft.
The rule became effective on Jan. 1, 2008, with an original enforcement deadline of Nov. 1, 2008. However, the Federal Trade Commission has delayed enforcement of the rule several times, first to give organizations more time to get familiar with the requirements and subsequently at the request of members of Congress.
The rule has been controversial in the medical community because many physicians believe their practices don't fit into the definition of a “creditor.” However, the FTC has continued to insist that physicians are in fact “creditors” because they allow their patients to defer payments over time.
The agency also has tried to assure physicians that the requirements should not be a burden and that small practices can come into compliance by implementing simple steps. For example, in low-risk settings, practice staff can ask patients for photo identification when they come in for an appointment.
The American Medical Association and other physician groups have been lobbying to get physicians excluded completely from the requirements. On May 21, the AMA joined the American Osteopathic Association and the Medical Society of the District Columbia in a federal lawsuit that seeks to prevent the FTC from applying the Red Flags rule to physicians.
The groups contend that not only are physicians not creditors, but that the rules would be burdensome and duplicate requirements already in place under the Health Insurance Portability and Accountability Act.
“Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patients' medical information,” said Dr. Peter E. Lavine, president of the Medical Society of the District of Columbia, said in a statement. “It is unnecessary to add to the existing web of federal security regulations physicians must follow.”