Members Only

Renew Membership

Membership Info

JOIN UMA

Officers/Staff

Events/Calendar

UMA House of Delegates
September 10-11, 2010
Salt Lake Hilton Hotel

Payment to UMA

Red Flags Rule Information

UPDATED - May 28, 2010

The following is an announcement from the FTC regarding the Red Flags Rule:

At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.

 

In the interim, FTC staff has continued to provide guidance, both through materials posted on the FTC website, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members. 

It is unknown if the AMA's recently announced lawsuit against the FTC over the inclusion of physicians in the scope of the rule had any part in the new delay, but the FTC's announcement comes as a welcome relief to those physician offices which were unprepared to comply with the Red Flags requirements. UMA continues to encourage physicians to develop and incorporate plans to prevent and respond to identity theft in the medical office.

 

December  31, 2010 is the current deadline set by the Federal Trade Commission for enforcement of its Red Flags Rule targeting “creditors,” which may include physicians. According to the FTC, any physician that routinely sees patients without getting up-front payment in full (including billing insurance), must comply with this rule.

 

In response to indications that the rule will apply to physician practices, the AMA successfully persuaded the FTC to delay implementation of the rule until now. Organized medicine is continuing efforts to persuade the FTC that physicians are not "creditors," and therefore not subject to the Red Flags Rule, but so far, the FTC has not budged.

 

In the mean time, you need to determine whether the rule applies to you and what you need to do about it. What’s needed to comply with the rule depends on the size and nature of your practice. In general, “creditors” will need to develop and implement written identity theft prevention and detection programs to protect patients and the office from identity theft.

Here are a couple of new resources to assist you:

"What you need to know about the Red Flags Rule"

Sample practice policy

 Medical Identity Theft is a growing problem that this rule is attempting to address.

Previous Information:

When it announced the previous postponement, the Federal Trade Commission (FTC) said, “To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the ‘Red Flags’ Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”  Previously the FTC postponed the deadline for requiring businesses to develop and implement identity theft prevention programs to May 1, 2009, then to August 1, 2009, and again to November 1, 2009.  Although the AMA and other physician organizations have argued that the "Red Flags Rule" should not apply to physician offices, the FTC continues to assert that physician offices are "creditors" and must comply with the regulations.

If your practice has not begun to develop your identity theft prevention program, hesitate no longer.  Begin today to create a written program with policies and procedures for identifying, detecting, and responding to medical identity theft for patient billing accounts and medical records, and re-evaluate the program at least annually.

The Red Flags Rule applies to all "creditors" with "covered accounts."  The definition of creditor includes businesses or organizations that regularly defer payment for goods or services, or regularly provide goods or services and bill customers later. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Covered accounts include any kind of account you offer your patients that involves or is designed to permit multiple payments or transactions, or for which there is a reasonably foreseeable risk to patients or to the practice from identity theft.  Nearly all medical practices fall into these broad definitions.

For additional information about the background and reasoning for the Red Flags Rule, visit the FTC’s Red Flags Web site, www.ftc.gov/redflagsrule.  This site has a 4-step guide for low-risk businesses to create their own program.  This guide refers to the FTC’s 17-page Red Flags Rule How-To Guide for Businesses is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm

For a copy of the complete Red Flags Rule, click here. (Bureaucratic Excess Warning: 256 pages long)

An excellent, and mercifully brief Fact Sheet on compliance with the Red Flags Rule has been developed by the American Academy of Dermatology.  (Note: this sheet does not have the updated deadline dates.)

The law firm of Kern Augustine Conroy & Schoppmann, P.C. has created an Identity Theft Prevention Program Template from which a practice might begin to develop their own written compliance document.

The American Medical Association has also developed extensive physician helps on this issue which are available on the AMA Members Website.

If you have additional questions, feel free to contact UMA General Counsel Mark Brinton, JD, at the UMA office or by emailing legal@utahmed.org

Back to UMA Home Page

Copyright © 2010 Utah Medical Association