RED FLAGS RULE FURTHER DELAYED UNTIL DECEMBER 31, 2010
Enforcement of the Red Flags Rule has been delayed through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. The Red Flags Rule became effective on January 1, 2008, with full compliance required by November 1, 2008. This makes the fifth time since November 2008 that the FTC has delayed enforcement of the Red Flags Rule. The American Medical Association (AMA) stated that it will utilize this time to convince the FTC and Congress to republish the Rule so that there is sufficient opportunity to formally comment and state the AMA’s objections to physician inclusion in this program.
The Red Flags Rule was promulgated as the result of a law enacted by Congress (the “Fair and Accurate Credit Transactions Act”) in which Congress directed the FTC to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. As a result, the FTC promulgated the rule to require all covered entities to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities-known as “red flags”- that could identity theft.
The “Red Flags Rule” apply to any institution considered a “creditor”. A creditor is defined as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit”. The FTC, however, considers a medical practice that accepts insurance or allows payment plans to be a “creditor” and subject to the “Red Flags Rule”.
For example, the FTC believes a physician is a creditor if he/she does not regularly demand payment in full, either in advance or at the time services are rendered, and instead bills a patient after services are rendered. The FTC also believes a physician is a creditor if he/she agrees to bill a patient’s health insurance first, but holds the patient ultimately accountable for any non-covered portion of their fee, as is routinely the case with respect to co-pays, deductibles and services not covered by insurance.
Since the Rule was issued, the AMA has objected to the FTC’s interpretation that physician practices are “creditors”. The FTC states that this delay is intended to “give creditors and financial institutions more time to review the guidance and develop and implement written Identity Theft Prevention Programs”.
See FTC Press Release:
See FTC Guidance:
While the AMA has stated that it intends to continue to make the case to Congress and the FTC that the FTC should republish the rules so that there is sufficient opportunity to formally comment and state the AMA’s objections to physician inclusion in the program, the AMA has prepared a guidance document, along with sample policies, so that physicians can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies.
See AMA guidance to access the AMA resource “Protect your patients, protect your practice: What you need to know about the Red Flags Rule”, and a sample practice policy.
- A summary of the New York Social Security Number Protection Law updated to include 2 new provisions that took effect in January 2009.
- A summary of the “New York State Information and Security Breach and Notification Act”, General Business Law section 899-aa. What happens if a medical practice discovers that a breach of computerized private information occurred; e.g. an unauthorized person gained access to computerized private information of patients,? Must the medical practice notify the affected patients of the security breach? Must the medical practice notify any state agency?
- Debt Collection Procedures Related to Identity Theft, General Business Law section 604 et seq. What happens if a medical practice bills an individual for services, but the individual asserts, that he/she was a victim of identity theft, and should not be held responsible for the payment? May the medical practice continue with efforts to collect payment from the individual, or must the medical practice undertake to review the individual’s claim of identity theft?
The New York State Consumer Protection Board has published the guidance to help businesses prevent and mitigate identity fraud. The guide also summarizes various federal and state laws that relate to the Red Flag Rules and identity theft.