Government
Physicians get second delay in FTC enforcement of identity theft rules
■ Organized medicine continues to challenge the application of the "red flags" rules to physicians. Experts still advise compliance with the new Aug. 1 deadline.
By Amy Lynn Sorrel — Posted May 11, 2009
- WITH THIS STORY:
- » Don't delay during the delay
- » Related content
Clamor from the medical community has prompted the Federal Trade Commission again to delay, this time from May 1 to Aug. 1, enforcement of new regulations to combat identity theft. The latest last-minute reprieve gives organized medicine more time to air concerns that what it considers an overreaching interpretation by the FTC of the "red flags" rules will prove burdensome for doctors.
The regulations, authorized under the 2003 Fair and Accurate Credit Transactions Act, require entities that regularly extend credit, or defer payment for services, to establish a written policy for preventing and responding to signs of identity theft. The American Medical Association and others continue to challenge the commission's view that Congress intended to consider physicians creditors under the act because they defer payments for services through insurance companies or other means.
In an April 30 statement, the FTC acknowledged "the ongoing debate about whether Congress wrote this provision too broadly." The commission said the delay was intended to give various industries and associations a chance to share guidance, and it would allow the FTC to release a template that businesses can follow to draft a compliant policy. The postponement also will "give Congress time to consider the issue further," the statement said.
Whether or not lawmakers take up the question, the agency's position has not changed, said Naomi Lefkovitz, an attorney in the FTC Division of Privacy and Identity Protection. She reiterated that the commission does not intend these rules to be onerous.
The rules were designed to cover a range of potential identity theft, and they allow businesses to tailor programs to their own risk levels, Lefkovitz said. "But there continued to be a lot of concern and questions about what such a program would look like, particularly for low-risk businesses" such as some physician practices. The forthcoming FTC template will be available on the agency's Web site.
The announcement follows an earlier postponement of the original Nov. 1, 2008, enforcement date to May 1. When it implemented that delay, the FTC acknowledged that some industries, including the medical community, were caught off guard by the rules, which mainly reference financial sectors.
The AMA and other medical organizations say that lack of notice deprived physicians of the chance to comment officially on the regulations' application to them, as required under the federal rule-making process. "We will continue to make the case to FTC that they should republish the rule so that we have an opportunity to formally comment and state our objections to physician inclusion in the program," AMA Secretary Ardis D. Hoven, MD, said in response to the latest delay.
Impact on physician practices
The medical community, in a series of letters to the FTC, contends that the agency ignored the additional, unnecessary burden the unfunded mandate places on physician practices. The Health Insurance Portability and Accountability Act, for instance, already obligates doctors to keep patient information private and secure.
In addition, the federal Regulatory Flexibility Act mandates that the FTC examine the potentially disproportionate impact any federal regulations may impose on small businesses, including physician practices, according to an April 8 letter to the commission from Rep. Nydia Velazquez, (D, N.Y.) chair of the House Committee on Small Business. "It is readily apparent that health professionals will face very significant economic impacts" from the red flags rules, including the uncompensated time required to review them, implement policies and train staff.
Velazquez also said she found it troubling that the FTC did not notify the medical community that the rules -- which make only a single mention of health care -- applied to physicians until nearly a year after their release in November 2007.
"The FTC by postponing the deadline is trying to bring people to a higher level of awareness and has perceived a real need to stomp out identity theft. The question is, is this the right legal route to take?" asked Jennifer G. Karron, an attorney specializing in consumer credit and privacy and security issues. "Even though this [rule] is very privacy-focused, once you are a creditor, there are whole series of other laws that apply and a whole host of other issues that it's not entirely clear were part of the decision-making process," said Karron, a partner at Foley & Lardner LLP in Milwaukee.
Because it already has a full legislative plate, Congress is unlikely to take action on the issue, said Gerald E. DeLoss, vice chair of the American Health Lawyers Assn.'s Health Information and Technology Practice Group. In addition, the most recent federal stimulus package gives the FTC greater authority over certain health information privacy and security issues, he said. "It would be tough to say now Congress is going to take that away."
Still, in light of the recent delay, Karron said she is "cautiously optimistic that the FTC is willing to engage in dialogue, and this increases the likelihood there will be a resolution outside of the courtroom."
As of this article's deadline, no organization had filed suit against the commission over the rules. But correspondence from Velazquez and organized medicine cited several court precedents bolstering the physicians' stance.
The AMA has proposed working with the FTC to better educate physicians on medical identity theft, which the Association agrees is a growing threat.
Don't wait
In the meantime, experts urge physicians to take advantage of the latest delay to become compliant with the regulations before their hands are forced.
Existing HIPAA policies are a good starting point, the AHLA's DeLoss said. But the FTC rules focus on additional financial information and include stricter patient notification requirements.
Foley & Lardner's Karron also recommended that practices take the first steps by evaluating potential areas of risk and verifying patients' identities when they walk in the door. She noted that the rule was aimed at protecting patients, as well as physician practices, from identity theft.
"Doctors should look at this as a way to build trust with patients," she said. "Regardless of what happens with this rule, this reflects a public perception and expectation that we need to keep personal information secure, and that's a responsibility every business has."