The Federal Trade Commission once again has delayed enforcement of the Red Flags Rule, giving physicians until June 1, 2010, before they have to comply with new requirements aimed at preventing identity theft.
The rule, issued by the Federal Trade Commission (FTC) in 2007, most recently had been scheduled to go into effect Nov. 1, 2009. But this is not the first time that the FTC has delayed the enforcement date. The agency has been pushing back enforcement of the rule every few months for about a year.
Congress has been working on a legislative solution to exempt some physician practices and other small businesses from the identity theft requirements. On Oct. 20, the House passed a bill (H.R. 3763) that would exempt physician practices with 20 or fewer employees–as well as small accounting and legal practices–from the Red Flags Rule. The Senate has yet to act on the bill. The rule also is being challenged in court. On Oct. 30, the U.S. District Court for the District of Columbia ruled that the FTC could not apply the regulation to lawyers.
Under the Red Flags Rule, all creditors, including physician practices, must establish a written identify theft–prevention program to protect consumers. The Red Flags Rule requires physician offices and other health care institutions to conduct risk assessments to determine their vulnerabilities to identity theft and respond to those risks.
The FTC has published a list of frequently asked questions about the Red Flags Rule on its Web site at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm