The Federal Trade Commission has again postponed enforcement of the “Red Flags” rule, giving physicians until the end of 2010 before they must implement identity-theft prevention programs in their practices.
Enforcement of the rule had been scheduled to begin on June 1. In a statement issued over the summer, the FTC said it was delaying enforcement to give Congress time to consider pending legislation that would exclude some small physician practices and small businesses from the rule. Last year, the House passed a bill (H.R. 3763) that would have exempted physician practices with 20 or fewer employees from the Red Flags rule, but that legislation has failed to gain traction in the Senate.
FTC officials urged lawmakers to act quickly to clarify what groups should be covered by the regulation. “As an agency, we're charged with enforcing the law, and endless extensions delay enforcement,” FTC chairman Jon Leibowitz said in a statement.
The Red Flags rule was written to implement provisions of the Fair and Accurate Credit Transactions Act, which calls on creditors and financial institutions to address the risk of identity theft. The rule requires creditors to develop formal identity-theft prevention programs that would allow an organization to identify, detect, and respond to any suspicious practices, or “red flags,” that could indicate identity theft.
The rule became effective on Jan. 1, 2008, with an original enforcement deadline of Nov. 1, 2008.
However, the FTC has delayed enforcement of the rule several times, first to give organizations more time to get familiar with the requirements and later at the request of members of Congress.
The American Medical Association has joined the American Osteopathic Association and the Medical Society of the District Columbia in a federal lawsuit that seeks to prevent the FTC from applying the Red Flags rule to physicians. The groups contend that not only are physicians not creditors, but that the rules would be burdensome and that they duplicate requirements already in place under the Health Insurance Portability and Accountability Act.
“Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patients' medical information,” Dr. Peter E. Lavine, president of the Medical Society of the District of Columbia, said in a statement. “It is unnecessary to add to the existing web of federal security regulations physicians must follow.'