Red Flags Rule Information
FLASH UPDATE!
The Federal Trade Commission has announced that enforcement of the Red Flags
Rule will again be postponed, this time until June 1, 2010. Last month the US
House of Representatives unanimously passed a bill (HR 3763) that would exempt
from the Red Flags Rule health care practices and certain other businesses with
20 or fewer employees; the bill is now pending in the Senate. The FTC does not
want to begin enforcing a regulation the Congress plans to supersede, hence the
delay. The AMA has been urging the FTC and Congress that physicians are not
"creditors" and should not be subject to the rule. We are pleased that the FTC
has granted another delay. More information on the FTC's decision is available
here.
Our recommendation now is to keep doing what you’re doing. If you’ve
developed and implemented a plan for compliance with the Red Flags Rule,
continue top follow your plan; there is no guarantee small practices will become
exempt. If you haven’t taken action yet, don’t, but stay tuned. There may be
more changes before this issue is finalized.
Medical Identity Theft is a growing problem that this rule is attempting to address.
Previous Iformation:
When it announced the
previous postponement, the Federal Trade Commission (FTC) said, “To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the ‘Red Flags’ Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” Previously the FTC postponed the deadline for requiring businesses to develop and implement identity theft prevention programs to May 1, 2009, then to August 1, 2009,
and again to November 1, 2009. Although the AMA and other physician organizations have argued that the "Red Flags Rule" should not apply to physician offices, the FTC continues to assert that physician offices are "creditors" and must comply with the regulations. If your practice has not begun to develop your identity theft prevention program, hesitate no longer. Begin today to create a written program with policies and procedures for identifying, detecting, and responding to medical identity theft for patient billing accounts and medical records, and re-evaluate the program at least annually. The Red Flags Rule applies to all "creditors" with "covered accounts." The definition of creditor includes businesses or organizations that regularly defer payment for goods or services, or regularly provide goods or services and bill customers later. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Covered accounts include any kind of account you offer your patients that involves or is designed to permit multiple payments or transactions, or for which there is a reasonably foreseeable risk to patients or to the practice from identity theft. Nearly all medical practices fall into these broad definitions. For additional information about the background and reasoning for the Red Flags Rule, visit the FTC’s Red Flags Web site, www.ftc.gov/redflagsrule. This site has a 4-step guide for low-risk businesses to create their own program. This guide refers to the FTC’s 17-page Red Flags Rule How-To Guide for Businesses is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm For a copy of the complete Red Flags Rule, click here. (Bureaucratic Excess Warning: 256 pages long) An excellent, and mercifully brief Fact Sheet on compliance with the Red Flags Rule has been developed by the American Academy of Dermatology. (Note: this sheet does not have the updated deadline dates.) The law firm of Kern Augustine Conroy & Schoppmann, P.C. has created an Identity Theft Prevention Program Template from which a practice might begin to develop their own written compliance document. The American Medical Association has also developed extensive physician helps on this issue which are available on the AMA Members Website. If you have additional questions, feel free to contact UMA General Counsel Mark Brinton, JD, at the UMA office or by emailing legal@utahmed.org | 
Back to
UMA Home Page