New law exempts doctors from Red Flags Rule

On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act of 2010, which narrows the definition of a creditor for purposes of implementing the so-called “red flags rule,” i.e., Federal guidelines for use by financial institutions and creditors in establishing policies and procedures to mitigate identity theft risks."

The new law ended years-long dispute between the Federal Trade Commission (charged with enforcement of the Red Flags Rule program) and healthcare providers reluctant to take on an additional administrative and regulatory burden.

Via Healthcare IT News:

Red Flag Program Clarification Act of 2010 (Bill, S. 3987) sponsored by Senators John Thune (R-SD) and Mark Begich (D-AK), was scheduled to go into effect on Dec. 31. It was first introduced in the Senate on Nov. 30 and unanimously passed on the same day. The Senate passed the bill by voice vote on Dec. 7.

The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.

The Red Flag Program Clarification Act modified the regulation in a way that exempted those creditors from the Red Flags Rule program which "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."


FTC Delays Enforcement of the Red Flags Rule

Upon request from members of Congress, the Federal Trade Commission (FTC) has once again pushed back the enforcement of the Red Flags Rule, this time until December 31, 2010.  This is the fifth such delay by the FTC.  Via FTC press release:

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.

We have recently reported on the AMA and other medical associations suing the FTC over applicability of the Rule to healthcare providers.  There was no mention of the AMA's claims or law suit in the press release.

You can read the full press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (May 28, 2010).

Medical associations sue FTC over Red Flags Rule

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations.  FTC is to begin enforcement of the Rule on June 1, 2010.  Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA.  According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA's motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

"Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship," Health Data Management (May 21, 2010).

FTC delays enforcement of the Red Flags Rule till June 2010

In a fairly predictable move, the Federal Trade Commission delayed enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.  According to the FTC press release, the Commission decided to extend the enforcement deadline at the request of the members of U.S. Congress.

However, in the press release, the FTC reminded us about the progress its staff has made in the last year in providing businesses subject to the Red Flags Rule with sufficient guidance and materials:

The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (, and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

You can find the full text of the press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (October 30, 2009).

U.S. House: Red Flags Rule does not apply to dentists

In a remarkable 400-0 vote, the U.S. House of Representatives exempted dentists from the requirements of FTC's Red Flags Rule.  The measure garnered rare, unambiguously bi-partisan support in Congress:

It is obvious that physicians and dentists are not creditors, and they should not be forced to spend hundreds of dollars to comply with this needless regulation," said dentist/Rep. Mike Simpson (R-Idaho), one of the key sponsors of the bill. "They don't require full payment at the time of service because they first bill the insurance company, then they bill the patient the remainder of the bill. This system should not be treated the same as a loan with a financial institution," said Congressman Simpson.

Rep. John Adler (D-N.J.), the bill's chief sponsor, said the FTC "went too far. During these tough economic times, the federal government should not be placing burdensome regulations on small businesses."

"By passing this fix today, Congress can provide the FTC a clear definition of how Congress intended the policy to be enacted and protect small businesses and their customers from unnecessary government intervention," said Rep. Christopher Lee (R-N.Y.),  a cosponsor.

"In my opinion, the manner in which this legislation was crafted, with input from both sides of the aisle, with the FTC and with the various sectors that would be adversely affected if we had not acted, is the model for how this House can work to actually solve the problems facing our country," said Rep. Paul Broun (R-Ga.), a physician who cosponsored the measure. 

The American Dental Association is not finished with the Red Flags Rule yet:

The Association is seeking similar Senate legislation to assure final congressional passage and enactment of a law providing an exclusion from Red Flags identity theft guidelines for certain businesses including "a health care practice with 20 or fewer employees," which means most private practice dental offices.

Are dentists the most powerful people in Washington?

"U.S. House passes ADA-backed Red Flags exemption legislation," ADA Press Release (October 21, 2009).


Breaking News: FTC Delays Enforcement of the Red Flags Rule Again, Until November 1, 2009

From the FTC:

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.


Although many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics – The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.

You can read the full press release here.