ID theft rule decision offers doctors a way out

A recent federal court decision could offer physicians and other health professionals an avenue for relief from a Federal Trade Commission regulation requiring them to implement a formal identity theft prevention program or face penalties.

The Dec. 1, 2009, ruling by the U.S. District Court for the District of Columbia blocked the commission from applying the "red flags" rule to lawyers. The decision prompted the American Medical Association and others to petition the commission in January for a similar exclusion for physicians and other health care professionals.

The regulations, which have gone into effect but whose enforcement has been delayed until June 1, require entities that regularly extend credit or defer payment for services to adopt a formal policy for detecting and preventing identity theft. The FTC counts physician practices as creditors if they bill patients for past services or allow patients to set up payment plans.

But in a case brought by the American Bar Assn., the court found that the FTC exceeded its authority in applying that interpretation to attorneys.

"The court ruling sends a clear signal that the FTC needs to re-evaluate the broad application of the red flags rule," AMA President J. James Rohack, MD, said in a statement.

The AMA and other medical organizations said in a Jan. 27 letter that if the ABA litigation produces an exemption for lawyers, health care professions should be exempted, too. The American Osteopathic Assn., the American Dental Assn. and the American Veterinary Medical Assn. also joined the petition.

The FTC declined to comment on the request or on whether it would appeal the ABA ruling.

Concerns from organized medicine that the unfunded mandate posed by the identity theft rule would unnecessarily burden physician practices and increase health care costs have prompted several delays in the rule's enforcement. But with the FTC firm in its position that the health care industry falls under the regulations' scope, those delays do little to alleviate doctors' concerns, said Shawn Martin, AOA director of government relations.

"From our perspective, attorneys' offices and physician offices are no different as far as the business structure, and this [ruling] created a precedent for us to argue from," he said. "We will pursue all reasonable and feasible avenues to make sure our members can practice medicine in the least burdensome manner possible. This is a lot of hoopla for a $20 co-pay."

Pathway to a reprieve?

Legal experts said the ruling in favor of the ABA could be good news for the health care industry.

The court concluded that the Fair and Accurate Credit Transactions Act, which authorized the FTC to promulgate the red flags rule, was intended to regulate financial institutions and transactions, not the privileged attorney-client relationship and the services lawyers provide. Nor did the practice of invoicing a client after rendering services make the attorney a financial institution or a creditor.

"The same can absolutely be said that the long-standing, privileged relationship between a health care provider and his or her patient is very different from the relationship between a financial institution and a customer," said Lucy C. Hodder, chair of the health care practice group in Rath Young Pignatelli's Concord, N.H., office.

"The decision should force some kind of pointed discussion between the FTC and the provider community," and it could give health care professionals sound footing to bring similar action, she said. As of this article's deadline, no lawsuit had been filed by health care organizations.

Physicians also have a leg up on lawyers in that they already are subject to federal privacy and security regulations that have given doctors a heightened awareness of identity theft issues, Hodder added.

But doctors have characteristics that could bolster the FTC position to include them in the fight against identity theft, said New York City-based health care lawyer Charles E. Kutner. Unlike attorneys, "doctors are in a unique position because they are in possession of two forms of confidential information that are protected by federal law: health information protected by [the Health Insurance Portability and Accountability Act], and financial information protected by these regulations. ... The government is saying we're not really imposing any great burden."

Nevertheless, he agreed that the FTC may have overlooked existing efforts aimed, for instance, at protecting patient privacy and preventing Medicare fraud. "Identity theft is a major issue affecting all sectors of the economy, and what the FTC is trying to do is a worthwhile endeavor. But doctors shouldn't be a part of law enforcement. There are other ways."

The AOA's Martin suggested incorporating the red flags requirements into the forthcoming transition to electronic medical records, which will include heightened security and breach notification measures.

Meanwhile, unless the FTC alters the rules or legislative relief is secured, members of organized medicine are advising physicians to scope out warning signs of potential identity theft and be prepared to adopt a compliance plan by June 1.