Implementation of Red Flags Rule delayed until appeals court rules on lawsuit

Key Points

Implementation of the Red Flags Rule by the Federal Trade Commission (FTC), which would require doctors and other businesses to take specific steps to minimize identity theft, has been delayed until a federal appeals court rules on a lawsuit by the American Bar Association (ABA).

Last October, a federal district court agreed with the ABA's challenge of the FTC's decision to require attorneys to comply with the rule, and on July 21, the agency filed an appeal. The FTC contends that lawyers act as creditors when they provide legal services without immediate payment from the client - essentially the same position taken by the agency with respect to physicians.

The agreement was reached with the American Medical Association, the American Osteopathic Association and the Medical Society for the District of Columbia, which filed its own suit against the FTC on May 21. In that suit, the medical groups, joined by a number of specialty societies, also argued that physicians are not creditors as stated by the FTC, and should not be forced to meet the regulation's privacy protection requirements.

Under intense pressure from numerous businesses and members of Congress, the FTC on May 28 delayed enforcement of the Red Flags Rule from the previous effective date of June 1, 2010, to Dec. 31. The latest action means that physician compliance likely will be delayed past that date. The extension until Dec. 31 was the fifth delay to which the FTC had agreed because of questions from various business groups regarding the rule's application to them.

The FTC was scheduled to answer the physician groups' suit by July 20, but that date was delayed until 60 days after the appeals court's decision in the ABA case.

Congressional involvement

Meanwhile, Congress has gotten into the act. When the FTC announced its implementation delay until Dec. 31, it cited congressional consideration of legislation that would affect the scope of entities covered by the rule.

Last year, the U.S. House of Representatives, by a vote of 400-0, passed legislation that would exclude from the regulation's requirements healthcare, accounting and legal practices with 20 or fewer employees. Covered under the bill are physicians, dentists, podiatrists, chiropractors, physical therapists and others.

Sens. John Thune (R-S.D.) and Mark Begich (D-Alaska) introduced identical legislation, S. 3416, on May 25.

"Identity theft is a serious problem, but the FTC rules are too broad and ensnare businesses that pose little risk to consumers," Sen. Thune said.

AAD action

On March 3, 2009, the AAD sent a letter to the FTC objecting to its inclusion of physicians under the rule, stressing the implications of imposing the regulations on the primarily solo and small-practice dermatologists who would be required to comply.

In the letter, AAD President C. William Hanke, M.D., F.A.A.D., said the rule states that a "creditor" is "any person who regularly extends, renews, or continues credit; any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."

Dr. Hanke wrote: "We disagree with FTC staff's determination that most practicing physicians are 'creditors' under the statutory and regulatory scheme, as most do not 'regularly extend, renew or continue credit.' ... We do not see many parallels between the financial operations of physicians' offices and banks, mortgage brokers, or automobile dealers, which are among the industries listed in the final rule as 'creditors.'"

Moreover, Dr. Hanke cited the fact that some aspects of the Red Flags Rule duplicate major regulations already governing the healthcare delivery sector, including the Health Insurance Portability and Accountability Act (HIPAA).

However, to prepare dermatologists for compliance effective Dec. 31, the AAD created a special website ( http://www.aad.org/pm/compliance/redflagsrule/index.html) that provides background material, definitions of who is covered, and specific requirements as they apply to dermatologists. The AAD also includes a guide to a compliance plan, which it said "should be incorporated into your existing policy and procedure manual or HIPAA manual."

AAD also advised: "When developing your policy, please keep in mind that it should not be overly costly or burdensome. The primary goal of the FTC is for physician practices to make a reasonable effort to be aware of abnormal and potentially fraudulent behavior, or 'red flags,' and respond appropriately in order to mitigate medical identity theft."

It is unclear when, or if, physicians will be covered by the regulation. The courts - or perhaps Congress - will decide.

Bob Gatty, former congressional aide, covers Washington for businesses specializing in healthcare and related issues. Contact him at bob@gattyedits.com