The Federal Trade Commission (FTC) voted on April 30 to delay until Aug. 1 implementation of its "red flag" regulations [ PDF ] that require physicians and others whom the FTC considers "creditors" to develop written policies to prevent identity theft. The rules, originally scheduled to take effect May 1, require businesses to have programs to identify and respond to "patterns, practices, or specific activities - known as 'red flags' - that indicate the possibility of identity theft." Physicians could be fined up to $2,500 per violation.
The Texas Medical Association, the American Medical Association, and 25 other medical societies say physicians should not be subject to the rules because they are not creditors. In a letter to the FTC in March, organized medicine expressed several concerns about the rules. They include the FTC defining physicians as creditors, as well as the overlap between this rule and other regulatory requirements already imposed on physicians such as the Health Insurance Portability and Accountability Act (HIPAA). They also say the FTC failed to comply with the Administrative Procedure Act (APA), which requires the FTC to explain its regulatory proposals and give the public notice and a chance to comment.
The FTC appears unmoved by the argument that physicians are not creditors. An FTC news release says the agency granted the delay to give businesses more time to develop their compliance policies. The release says "accepting cards as a form of payment does not, by itself, make an entity a creditor," but adds that examples of creditors include "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."
AMA says it will use the three-month delay to convince the FTC that physicians are not creditors and therefore should not be subject to the rule. "We will continue to make the case to FTC that they should republish the rule so that we have an opportunity to formally comment and state our objections to physician inclusion in the program," said AMA Board of Trustees member Ardis Hoven, MD.
TMA is prepared if the rules ultimately take effect. The association has sample policies and procedures to help members develop their own identity theft compliance plans. Although they are a good place to start, individual practices may need to revise them to reflect the scope of their activities. It is important to note that these policies and procedures are specific to the "red flag" rules and do not reflect HIPAA compliance practices. To comply fully with the "red flag rules," a practice needs both identity theft and HIPAA policies and procedures to dictate privacy and security practices generally.
TMA has a prerecorded version of the Red Flag Rules Learn @ Lunch audio conference available for download. This program reviews the new FTC regulations and offers practical tools such as action plans, policies and procedures, and implementation techniques to help physicians with compliance. One registration fee of $50 will train your entire staff. You may register for this recording now.
Action , May 4, 2009