A necessary pause on ID theft rules
■ A six-month extension gives the medical community time to get answers to concerns about government rules on preventing identity theft.
Posted Nov. 17, 2008.
- WITH THIS STORY:
- » Related content
No question: Identity theft is a problem in this country. But physicians are right to ask if treating medical practices like major financial institutions is the right way to solve it.
At issue are so-called "red flag" rules released by the Federal Trade Commission and other agencies last year to block thieves from stealing identities to obtain credit or government benefits fraudulently or to use the information for other criminal purposes. These regulations require financial institutions and creditors to develop and implement written identity theft prevention programs by Nov. 1, 2008. The idea is to prevent, detect and respond to suspect patterns or practices -- red flags -- that could signal identity theft.
The FTC says the rules pertain to entities that regularly extend credit or defer payment for services. In recent weeks, the agency has indicated that the regulations also apply in the health care arena. But physicians are questioning whether the rules appropriately apply to them.
In a Sept. 30 letter, the American Medical Association and more than two dozen national and specialty medical associations asked for a clarification on the matter and a delay of the Nov. 1 enforcement date. On Oct. 22, the FTC pushed back the deadline six months to May 1, 2009. The agency said it took the action after some industries and entities said they did not know they were subject to the rules.
The AMA issued a statement in support of the delay, which gives the medical community more time to address its concerns and get answers to its questions. During that time, the Association will keep educating the FTC about why physicians are not creditors and should be exempt from the regulations, said AMA Board of Trustees Chair Joseph M. Heyman, MD.
There is much to be addressed during the six-month reprieve. The AMA and other medical organizations disagree with the agency that most physicians are creditors because most doctors do not "regularly extend, renew or continue credit."
They note that the final rule mentions lenders such as mortgage brokers, finance companies and banks but does not include physicians among the businesses listed as creditors. Their letter to the FTC suggested that the agency did not consider administrative and legal burdens the new rules would bring, as the Health Insurance Portability and Accountability Act already mandates that patient information be private and secure.
Medical associations also question whether physicians are creditors if they bill patients after medical services are provided. Taking such a view would mean broadly that anyone who bills or issues an invoice for services would be a creditor under the rules' definition.
In addition, the groups say physicians should not be considered creditors simply because they accept insurance and the patient is responsible for the amount not paid by the insurer.
Much is at stake as the FTC and the medical community hash out what the regulations mean to physicians and determine what doctors will be required to do when May 1 arrives. The FTC has said failure to comply with the rules could lead to administrative penalties or up to $2,500 in fines per violation. Meanwhile, medical practices will need to look at what medical identity theft practices they have in place and what initiatives will need to be undertaken if they must comply with the regulations.
The FTC says it will listen to concerns of the AMA and others, and the agency plans to respond to the groups' Sept. 30 letter. Meanwhile, the six-month extension provides at least some time for the agency to consider how it can effectively trip up identity thieves without doing the same to medical practices.