AMA leads suit to block FTC rule telling doctors to police ID theft

Organized medicine is turning to the courts for relief from what physicians say is an overreaching government mandate that ropes them into the same category as financial institutions and threatens relationships with patients by requiring doctors to police identity theft.

The American Medical Association and two other medical organizations on May 21 sued the Federal Trade Commission to block the agency from subjecting physicians to its "red flags" rule, which requires entities that regularly extend credit to establish formal policies for detecting and preventing identity theft. The commission has maintained that the regulation -- which stems from a 2003 law aimed primarily at the banking industry -- was written broadly enough to consider physicians as creditors when they defer payment for services through insurance or payment plans.

Organized medicine repeatedly petitioned the FTC to exclude physicians from what they said was an unexpected and unreasonable application of the rule. Despite several enforcement delays -- the latest through Dec. 31 -- the commission has not wavered in its position that the regulation was meant to cover a wide range of identity theft. Unless Congress acts, the FTC does not have the authority to exempt doctors, officials said.

The AMA, which filed the lawsuit through the Litigation Center of the American Medical Association and the State Medical Societies, was joined by the American Osteopathic Assn. and the Medical Society of the District of Columbia. The groups are asking a federal court to declare the red flags rule unlawful as applied to doctors. At this article's deadline, no hearing dates or rulings had been issued by the U.S. District Court for the District of Columbia, where the complaint was lodged.

Physicians won a temporary reprieve as confusion over the scope of the rule prompted the FTC once again to delay enforcement, from June 1 through the end of the year. The move -- which came just one week after the AMA litigation was filed -- came at the request of congressional lawmakers who are considering legislation that would clarify the red flags statute. The changes would exempt certain small businesses, including health care practices with 20 or fewer employees. The measure passed the House in October 2009, and a Senate companion measure was introduced in May 2010.

The AMA welcomed the latest enforcement delay. But physicians continue to press for a permanent exemption for all doctors.

"This unjustified federal regulation of medicine treats physician practices like banks, credit card companies and mortgage lenders," AMA President-elect Cecil B. Wilson, MD, said in a statement. "The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public."

Doctors acknowledge that medical identity theft is a growing concern for patients and physicians. But they say the added regulatory layer duplicates privacy requirements under existing laws.

"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patients' medical information," said MSDC President Peter E. Lavine, MD. "It is unnecessary to add to the existing web of federal security regulations physicians must follow."

The FTC did not immediately return calls seeking comment. Officials in a statement urged Congress "to fix the unintended consequences of the legislation establishing the red flags rule -- and to fix this problem quickly."

Meanwhile, commission guidelines say the rule is flexible and that practices need only set up anti-theft programs that correspond to their risk levels. Enforcement action is unlikely against low-risk businesses, such as those that know their customers, or where identity theft is rare, according to past FTC statements.

Doctor-patient relationship at stake

In their lawsuit, physicians say the requirements, which cannot be done on a "cookie-cutter basis," impose financial and administrative strains -- particularly on small practices -- that detract from patient care. The obligation that physicians check patients' identities before treating them also violates the doctor-patient relationship and "requires physicians to approach each new patient with skepticism," rather than trust, the complaint says.

Physicians argue that they should not be considered creditors by virtue of routine billing practices that often preclude them from collecting payment up front. Nor was the medical community given reasonable notice of, or opportunity to comment on, the red flags rule or its impact on physician practices, as required by federal rule-making, according to the lawsuit.

"It did come as a bit of a shock that it was going to be applied to providers, especially since they don't necessarily have control over what type of payment or payment arrangements they take from patients or insurers," said Lucy C. Hodder, chair of the New Hampshire law firm Rath Young Pignatelli's health care practice group. In addition, "there is a real concern about what type of ID [doctors' offices] need to ask for & and how far they are supposed to go to intervene with these regulations."

To bolster their case, physicians also pointed to a 2009 federal court ruling exempting lawyers from the rule. At this article's deadline, an appeal by the FTC in American Bar Assn. v. Federal Trade Commission was pending in the U.S. Court of Appeals for the D.C. Circuit.

But any confusion over the scope of the rule may be lawmakers' responsibility, said Anne Wallace. She is president of the Washington, D.C.-based Identity Theft Assistance Center, a consumer advocacy organization. "The FTC is enforcing the law that Congress wrote. If the medical profession has a quarrel, it's with Congress, because the law is broadly written, and the FTC didn't just make this up."

It is in consumers' best interests to have privacy and anti-fraud rules applied more widely and more consistently across the board, Wallace added. "From the standpoint of the consumer, they have to go to the bank and they have to go to the doctor, so why should the rules be different?"

Possible fine: $3,500

Meanwhile, absent permanent legal or legislative relief, physicians are being urged to adopt a compliance plan. Penalties for noncompliance range from administrative sanctions to fines of up to $3,500 per violation.

Organized medicine's lawsuit "may well be successful. But I'm not sure the FTC would be feeling particularly sympathetic, postlitigation, to anyone who was unprepared," said Peter F. McLaughlin, a health care privacy and security expert in Foley & Lardner LLP's Boston office.

He recommended that each physician practice take the time to evaluate its individual risk for identity theft and develop a customized plan to address potential fraud occurrences.

"One of the areas where health care providers may be doing themselves a disservice is taking [an existing] policy and changing the name and declaring themselves in compliance," McLaughlin said. "One area where the FTC has little mercy is a situation where you have a policy but do not comply with it."

Shortly after this article went to press for the June 7 print edition, the FTC delayed enforcement of the red flag rule. This online version has been updated to reflect those developments.