Government

Physicians get second delay in FTC enforcement of identity theft rules

Organized medicine continues to challenge the application of the "red flags" rules to physicians. Experts still advise compliance with the new Aug. 1 deadline.

By Amy Lynn Sorrel — Posted May 11, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Clamor from the medical community has prompted the Federal Trade Commission again to delay, this time from May 1 to Aug. 1, enforcement of new regulations to combat identity theft. The latest last-minute reprieve gives organized medicine more time to air concerns that what it considers an overreaching interpretation by the FTC of the "red flags" rules will prove burdensome for doctors.

The regulations, authorized under the 2003 Fair and Accurate Credit Transactions Act, require entities that regularly extend credit, or defer payment for services, to establish a written policy for preventing and responding to signs of identity theft. The American Medical Association and others continue to challenge the commission's view that Congress intended to consider physicians creditors under the act because they defer payments for services through insurance companies or other means.

In an April 30 statement, the FTC acknowledged "the ongoing debate about whether Congress wrote this provision too broadly." The commission said the delay was intended to give various industries and associations a chance to share guidance, and it would allow the FTC to release a template that businesses can follow to draft a compliant policy. The postponement also will "give Congress time to consider the issue further," the statement said.

Whether or not lawmakers take up the question, the agency's position has not changed, said Naomi Lefkovitz, an attorney in the FTC Division of Privacy and Identity Protection. She reiterated that the commission does not intend these rules to be onerous.

The rules were designed to cover a range of potential identity theft, and they allow businesses to tailor programs to their own risk levels, Lefkovitz said. "But there continued to be a lot of concern and questions about what such a program would look like, particularly for low-risk businesses" such as some physician practices. The forthcoming FTC template will be available on the agency's Web site.

The announcement follows an earlier postponement of the original Nov. 1, 2008, enforcement date to May 1. When it implemented that delay, the FTC acknowledged that some industries, including the medical community, were caught off guard by the rules, which mainly reference financial sectors.

The AMA and other medical organizations say that lack of notice deprived physicians of the chance to comment officially on the regulations' application to them, as required under the federal rule-making process. "We will continue to make the case to FTC that they should republish the rule so that we have an opportunity to formally comment and state our objections to physician inclusion in the program," AMA Secretary Ardis D. Hoven, MD, said in response to the latest delay.

Impact on physician practices

The medical community, in a series of letters to the FTC, contends that the agency ignored the additional, unnecessary burden the unfunded mandate places on physician practices. The Health Insurance Portability and Accountability Act, for instance, already obligates doctors to keep patient information private and secure.

In addition, the federal Regulatory Flexibility Act mandates that the FTC examine the potentially disproportionate impact any federal regulations may impose on small businesses, including physician practices, according to an April 8 letter to the commission from Rep. Nydia Velazquez, (D, N.Y.) chair of the House Committee on Small Business. "It is readily apparent that health professionals will face very significant economic impacts" from the red flags rules, including the uncompensated time required to review them, implement policies and train staff.

Velazquez also said she found it troubling that the FTC did not notify the medical community that the rules -- which make only a single mention of health care -- applied to physicians until nearly a year after their release in November 2007.

"The FTC by postponing the deadline is trying to bring people to a higher level of awareness and has perceived a real need to stomp out identity theft. The question is, is this the right legal route to take?" asked Jennifer G. Karron, an attorney specializing in consumer credit and privacy and security issues. "Even though this [rule] is very privacy-focused, once you are a creditor, there are whole series of other laws that apply and a whole host of other issues that it's not entirely clear were part of the decision-making process," said Karron, a partner at Foley & Lardner LLP in Milwaukee.

Because it already has a full legislative plate, Congress is unlikely to take action on the issue, said Gerald E. DeLoss, vice chair of the American Health Lawyers Assn.'s Health Information and Technology Practice Group. In addition, the most recent federal stimulus package gives the FTC greater authority over certain health information privacy and security issues, he said. "It would be tough to say now Congress is going to take that away."

Still, in light of the recent delay, Karron said she is "cautiously optimistic that the FTC is willing to engage in dialogue, and this increases the likelihood there will be a resolution outside of the courtroom."

As of this article's deadline, no organization had filed suit against the commission over the rules. But correspondence from Velazquez and organized medicine cited several court precedents bolstering the physicians' stance.

The AMA has proposed working with the FTC to better educate physicians on medical identity theft, which the Association agrees is a growing threat.

Don't wait

In the meantime, experts urge physicians to take advantage of the latest delay to become compliant with the regulations before their hands are forced.

Existing HIPAA policies are a good starting point, the AHLA's DeLoss said. But the FTC rules focus on additional financial information and include stricter patient notification requirements.

Foley & Lardner's Karron also recommended that practices take the first steps by evaluating potential areas of risk and verifying patients' identities when they walk in the door. She noted that the rule was aimed at protecting patients, as well as physician practices, from identity theft.

"Doctors should look at this as a way to build trust with patients," she said. "Regardless of what happens with this rule, this reflects a public perception and expectation that we need to keep personal information secure, and that's a responsibility every business has."

Back to top


ADDITIONAL INFORMATION

Don't delay during the delay

Despite a second postponement of enforcement of the red flags rules until Aug. 1, experts recommend that physicians take steps now to become compliant with new Federal Trade Commission rules requiring the development of a formal identity theft prevention policy. Once enforcement kicks in, failure to comply with the red flags rules could mean administrative penalties or fines of up to $2,500 per violation. Here are some resources for physicians.

FTC guide. On April 2, the FTC launched a guide to help businesses understand and comply with the red flags rules. The FTC also is developing a more detailed template for a formal identity theft prevention policy that will be available on the agency's Web site (link).

AMA guide. The AMA prepared sample policies and guidance to help physicians comply with the new requirements and build off of existing HIPAA policies. Meanwhile, the AMA continues to challenge the FTC's view that physicians are covered by the rules as creditors (link).

World Privacy Forum report. The World Privacy Forum issued a report on the red flags rules and medical identity theft with suggestions for the health care field (link).

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn