Government
Medicine slams FTC over forcing physicians to police identity theft
■ Physicians object to the broad application of the "red flag" rules and say they were not forewarned properly. Enforcement begins May 1.
By Amy Lynn Sorrel — Posted April 6, 2009
- WITH THIS STORY:
- » Red flag rundown
- » Related content
Organized medicine and the Federal Trade Commission continue to joust over the application to physicians of new identity theft prevention rules. With a May 1 compliance date just around the corner, neither party shows signs of capitulation.
The FTC regulations require a variety of business entities -- mainly financial and banking institutions -- to implement a written program for preventing identity theft as well as detecting and responding to warning signs of such incidents. The commission maintains that when physicians defer payment for services, they become creditors -- entities that regularly extend, renew or continue credit -- under the "red flag" rules.
The American Medical Association and dozens of state and specialty medical societies repeatedly have objected to what they believe is an unreasonably broad application of the regulations, as well as a lack of forewarning by the FTC.
The commission "did not give physicians an appropriate opportunity for notice and comment on the ruling that the red flags would be applied to them," said AMA Secretary Ardis D. Hoven, MD. "The AMA is calling on FTC to re-publish its rule so that we can make the case that physicians should be excluded."
Doctors agree that medical identity theft is a growing concern for patients and physicians. But they also say the additional regulatory burden may duplicate existing requirements under the Health Insurance Portability and Accountability Act. It imposes an "unjustified, unfunded mandate on physicians, especially small practices," and could have "serious, adverse consequences" on access to care, according to a Feb. 23 letter to the FTC from the AMA and other physician organizations.
After an initial outcry, doctors got some relief when the FTC last October delayed the original Nov. 1, 2008, enforcement date by six months. But that may have been the sole reprieve.
The FTC has no plans to extend the deadline again, said Naomi Lefkovitz, an attorney with the FTC's Division of Privacy and Identity Protection. "That said, we continue to take a view that we're looking for reasonable efforts" by doctors to comply.
The rule was intended to address a wide range of potential identity fraud, Lefkovitz said. But given that scope, the FTC recognized last fall that several industries were caught off guard and extended the enforcement date.
"We would rather people understand the rule and do what is reasonable and effective for their particular circumstances." Lefkovitz said. "While we didn't see any means of exempting people, it was designed to be a flexible rule."
Caught off guard
The red flag rules, mandated under the 2003 Fair and Accurate Credit Transactions Act, were published by the FTC in conjunction with the Dept. of Treasury and other federal financial oversight agencies. The regulations mainly reference banks, mortgage brokers and other lenders.
It wasn't until last summer, just months before the compliance date, that physicians found out they also needed to comply, said Gerald E. DeLoss, vice chair of the American Health Lawyers Assn.'s Health Information & Technology Practice Group.
"It was not expressly indicated by FTC or any other interested party that this would apply to health care," he said. There is no mention of physicians in the final rule, released in June 2008, and only a single reference to medical identity theft.
The medical community continues to question the FTC's view that physicians are creditors by virtue of billing patients after their services are completed, whether through an insurance carrier or by other means. "The claims payment process is not a deferral process," said the February letter from the AMA and others. Rather, it is a process in which physicians have ethical, legal and contractual obligations under state and federal laws that govern insurance relationships and bar physicians from conditioning certain treatment upon payment.
The Medical Group Management Assn. is also concerned that once physicians are considered creditors, they might be subject to additional regulations that have nothing to do with health care, said Amy Nordeng, MGMA government affairs counsel. Her group signed the physician organizations' letter. Doctors also might begin demanding payment up front to avoid the rules, Nordeng warned.
The AMA and others contend that, under federal rule-making requirements, the FTC should have advised physicians of the final rule's broad application through a formal notice and comment process, rather than through informal, after-the-fact statements. The AMA reiterated in a March 9 letter to the FTC the medical community's request that if the rules are to incorporate physicians, new rules should be proposed so a fresh comment period will be held.
"That's the way the rule-making process works, and it didn't work that way with this rule," Nordeng said.
The FTC asserts that its position never changed. "We don't see this as an amendment to the rule, just as an interpretation, and it wouldn't warrant any rule change or comment period," Lefkovitz said.
HIPAA overlap?
Another oversight, Nordeng said, was the additional regulatory burdens the new rules impose when HIPAA already requires physicians to keep patient information private.
But the red flag rules go beyond HIPAA to require physicians to take action should patient information fall into the wrong hands, said Robert Gellman, a privacy lawyer in Washington, D.C. The FTC asserted in a Feb. 4 letter to the AMA that its rules complement HIPAA's requirements.
Under the Fair and Accurate Credit Transactions Act, "Congress said let's try to get ahead of this problem," said Gellman, who co-wrote a 2008 World Privacy Forum report on the red flag rules' application to health care. "Medical identity theft was already on [the FTC's] radar screen when it published this rule, and the problem is, it's a mess for everybody: The doctor who's not getting paid is a victim; the patient whose name or records were used is a victim; insurance companies are victims."
HIPAA also primarily addresses medical records, whereas the red flag rules deal more with financial issues, DeLoss noted.
The good news for physicians is that they likely can hit the ground running by building on existing HIPAA policies to create a red flag compliance program, DeLoss said. The plan can be tailored to a physician's practice based on risk level, Lefkovitz added.
The AMA plans to release physician guidance on the issue by April 10. The piece is scheduled to be online at the AMA Practice Management Center.