Misguided ID theft rules confuse practices with banks
■ Physicians, already tracking identity theft under HIPAA, should not also be subject to regulations designed for banks.
Posted March 15, 2010.
Physicians can be healers, counselors and employers. But in no way, shape or form are they banks. So why is the Federal Trade Commission treating doctors as if they were?
As of June 1, physician practices are supposed to have written identity-theft and detection programs in place to satisfy what is commonly known as the red flags rule. The FTC aimed the regulation at what it referred to as "creditors," meaning, generally, banks and credit-card companies, to protect consumers' account information from being misused.
For nearly two years, the American Medical Association has taken a leading role in trying to set the FTC straight on the misnomer that physicians are "creditors."
Only months before the original Oct. 1, 2008, deadline for compliance, the FTC said physicians must comply with the red flags rule because, by virtue of billing and collecting payments only after services were completed, they also were "creditors." This, despite the FTC's final rule, in June 2008, making no mention of physicians, and only a single reference to medical identity theft.
Under the Health Insurance Portability and Accountability Act, physicians already are responsible for taking steps to ensure the confidentiality and security of patients' medical information. Having to comply with the red flags rule on top of HIPAA would be largely redundant, an unfunded mandate that will create more unnecessary bureaucracy for physician practices with little, if any, benefit to the public.
The claims payment process is not a deferral process, a way to extend credit to patients. Instead, it simply reflects the realities under which doctors have legal, ethical and contractual obligations under federal and state laws that govern insurance relationships. Generally, a physician is barred from requiring that certain payment conditions be met upfront before treatment. So does the FTC think physicians can, and should, demand money upfront so they are no longer considered creditors?
Thanks in part to pushback by organized medicine, the FTC has issued several delays to its red flags rule compliance deadline. (Meanwhile, the AMA and other organization have made materials available to doctors to tell them how to comply with the rules.)
That fight continues. On Jan. 27, the AMA -- along with the American Osteopathic Assn., the American Dental Assn. and the American Veterinary Medical Assn. -- sent a letter, in light of a recent court ruling, to FTC Chair Jon Leibowitz to request that the red flags rule not be applied to physicians and other health care professionals.
On Nov. 30, 2009, the U.S. District Court for the District of Columbia blocked the FTC from mandating that attorneys comply with the red flags rule. In a lawsuit brought by the American Bar Assn., the district court held that application of the rule to lawyers "is both plainly erroneous and inconsistent with the purpose underlying enactment of the FACT Act" -- the Fair and Accurate Credit Transactions Act, the 2003 legislation that mandated the creation of the red flags rule.
The court also wrote that the FTC, by applying the rule to attorneys, "not only seeks to extend its regulatory power beyond that authorized by Congress, but it also untimely and arbitrarily selects monthly invoice billing as the activity it seeks to regulate." Though doctors' and lawyers' billing activity has some differences, it is similar in that although fees for services are not collected the moment they are provided, that is because of how the professions' billing patterns work -- not because they are issuing credit.
The ABA case is a red flag in its own right -- a signal not to confuse professional practices with creditors. The FTC should examine the judicial opinion in that case and recognize that, like attorneys, physicians are not banks, and they should not be treated as such.