AMA leads suit to block FTC rule telling doctors to police ID theft

Organized medicine groups say the "red flags" rule intrudes on relationships with patients and regulates physicians like banks. Enforcement to begin on Jan. 1, 2011.

By Amy Lynn Sorrel — Posted May 31, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Organized medicine is turning to the courts for relief from what physicians say is an overreaching government mandate that ropes them into the same category as financial institutions and threatens relationships with patients by requiring doctors to police identity theft.

The American Medical Association and two other medical organizations on May 21 sued the Federal Trade Commission to block the agency from subjecting physicians to its "red flags" rule, which requires entities that regularly extend credit to establish formal policies for detecting and preventing identity theft. The commission has maintained that the regulation -- which stems from a 2003 law aimed primarily at the banking industry -- was written broadly enough to consider physicians as creditors when they defer payment for services through insurance or payment plans.

Organized medicine repeatedly petitioned the FTC to exclude physicians from what they said was an unexpected and unreasonable application of the rule. Despite several enforcement delays -- the latest through Dec. 31 -- the commission has not wavered in its position that the regulation was meant to cover a wide range of identity theft. Unless Congress acts, the FTC does not have the authority to exempt doctors, officials said.

The AMA, which filed the lawsuit through the Litigation Center of the American Medical Association and the State Medical Societies, was joined by the American Osteopathic Assn. and the Medical Society of the District of Columbia. The groups are asking a federal court to declare the red flags rule unlawful as applied to doctors. At this article's deadline, no hearing dates or rulings had been issued by the U.S. District Court for the District of Columbia, where the complaint was lodged.

Physicians won a temporary reprieve as confusion over the scope of the rule prompted the FTC once again to delay enforcement, from June 1 through the end of the year. The move -- which came just one week after the AMA litigation was filed -- came at the request of congressional lawmakers who are considering legislation that would clarify the red flags statute. The changes would exempt certain small businesses, including health care practices with 20 or fewer employees. The measure passed the House in October 2009, and a Senate companion measure was introduced in May 2010.

The AMA welcomed the latest enforcement delay. But physicians continue to press for a permanent exemption for all doctors.

"This unjustified federal regulation of medicine treats physician practices like banks, credit card companies and mortgage lenders," AMA President-elect Cecil B. Wilson, MD, said in a statement. "The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public."

Doctors acknowledge that medical identity theft is a growing concern for patients and physicians. But they say the added regulatory layer duplicates privacy requirements under existing laws.

"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patients' medical information," said MSDC President Peter E. Lavine, MD. "It is unnecessary to add to the existing web of federal security regulations physicians must follow."

The FTC did not immediately return calls seeking comment. Officials in a statement urged Congress "to fix the unintended consequences of the legislation establishing the red flags rule -- and to fix this problem quickly."

Meanwhile, commission guidelines say the rule is flexible and that practices need only set up anti-theft programs that correspond to their risk levels. Enforcement action is unlikely against low-risk businesses, such as those that know their customers, or where identity theft is rare, according to past FTC statements.

Doctor-patient relationship at stake

In their lawsuit, physicians say the requirements, which cannot be done on a "cookie-cutter basis," impose financial and administrative strains -- particularly on small practices -- that detract from patient care. The obligation that physicians check patients' identities before treating them also violates the doctor-patient relationship and "requires physicians to approach each new patient with skepticism," rather than trust, the complaint says.

Physicians argue that they should not be considered creditors by virtue of routine billing practices that often preclude them from collecting payment up front. Nor was the medical community given reasonable notice of, or opportunity to comment on, the red flags rule or its impact on physician practices, as required by federal rule-making, according to the lawsuit.

"It did come as a bit of a shock that it was going to be applied to providers, especially since they don't necessarily have control over what type of payment or payment arrangements they take from patients or insurers," said Lucy C. Hodder, chair of the New Hampshire law firm Rath Young Pignatelli's health care practice group. In addition, "there is a real concern about what type of ID [doctors' offices] need to ask for & and how far they are supposed to go to intervene with these regulations."

To bolster their case, physicians also pointed to a 2009 federal court ruling exempting lawyers from the rule. At this article's deadline, an appeal by the FTC in American Bar Assn. v. Federal Trade Commission was pending in the U.S. Court of Appeals for the D.C. Circuit.

But any confusion over the scope of the rule may be lawmakers' responsibility, said Anne Wallace. She is president of the Washington, D.C.-based Identity Theft Assistance Center, a consumer advocacy organization. "The FTC is enforcing the law that Congress wrote. If the medical profession has a quarrel, it's with Congress, because the law is broadly written, and the FTC didn't just make this up."

It is in consumers' best interests to have privacy and anti-fraud rules applied more widely and more consistently across the board, Wallace added. "From the standpoint of the consumer, they have to go to the bank and they have to go to the doctor, so why should the rules be different?"

Possible fine: $3,500

Meanwhile, absent permanent legal or legislative relief, physicians are being urged to adopt a compliance plan. Penalties for noncompliance range from administrative sanctions to fines of up to $3,500 per violation.

Organized medicine's lawsuit "may well be successful. But I'm not sure the FTC would be feeling particularly sympathetic, postlitigation, to anyone who was unprepared," said Peter F. McLaughlin, a health care privacy and security expert in Foley & Lardner LLP's Boston office.

He recommended that each physician practice take the time to evaluate its individual risk for identity theft and develop a customized plan to address potential fraud occurrences.

"One of the areas where health care providers may be doing themselves a disservice is taking [an existing] policy and changing the name and declaring themselves in compliance," McLaughlin said. "One area where the FTC has little mercy is a situation where you have a policy but do not comply with it."

Shortly after this article went to press for the June 7 print edition, the FTC delayed enforcement of the red flag rule. This online version has been updated to reflect those developments.

Back to top


Case at a glance

Did the FTC exceed its authority in applying identity theft regulations to physicians?

A federal district court could decide.

Impact: Physicians say the government mandate was meant to apply to financial institutions and that it places an unnecessary strain on physician practices without benefiting patient care. The FTC has maintained that the rule was written broadly to cover a wide range of identity theft.

American Medical Association, American Osteopathic Assn. and Medical Society of the District of Columbia v. Federal Trade Commission, U.S. District Court for the District of Columbia

Back to top

External links

American Medical Association, American Osteopathic Assn. and Medical Society of the District of Columbia v. Federal Trade Commission, U.S. District Court for the District of Columbia (link)

AMA resources on the red flags rule (link)

Federal Trade Commission compliance guide for the red flags rule (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn