In response to Congressional pressure, the Federal Trade Commission (FTC) announced Oct. 30 that enforcement of its “Red Flags” rule has been postponed until June 1. The rule, which requires creditors of covered accounts to establish a program that can detect, prevent and mitigate identity theft, was scheduled to take effect Nov. 1. The FTC continues its efforts to educate small businesses and other entities about compliance with the rule and clarify who it covers.
The Academy, the AMA and a number of other medical societies have protested the FTC’s interpretation that physicians were to be considered creditors under the rule, and the House has passed a bill (H.R. 3763) that excludes physicians from the rule. Introduced by Rep. John Adler, D-N.J., H.R. 3763 excludes health care, accounting and legal practices with 20 or fewer employees from the creditor category. Under the bill, the FTC also would be required to issue regulations allowing any business to apply for an exemption. The Senate still must pass legislation for health care practices to be exempted.
Getting Ready for June 1
To help physicians meet the rule, the FTC has created a Web site dedicated specifically to the rule and its implementation. The FTC has said physicians are creditors and therefore subject to the Red Flags rule, if:
- Physicians do not require full payment up-front at the time they see patients, but rather bill patients after the physician’s services are rendered
- The patient is ultimately responsible for medical fees (as is routinely the case with respect to co-pays or deductibles or services not covered by insurance)
The Academy will continue to work with the AMA and other medical societies to protest the FTC’s interpretation of “creditor” and to try to mitigate the burden of the rule on physician practices. The AMA has developed a guidance document and sample policies to help your practice develop a written identity-theft prevention program.
Get more help with Red Flags rule compliance at AAOE's June 23 Webinar, "Identity Theft, Privacy and Security: How to Comply With Red Flags Rule and New Expanded HIPAA Requirements."
For more information, e-mail firstname.lastname@example.org.