Physicians get 4th reprieve from FTC identity theft rule
■ The postponement until June 2010 comes as lawmakers consider exempting some physician practices from the "red flags" rule. The AMA wants all doctors excluded.
- WITH THIS STORY:
- » External links
The delay in enforcement of a federal identity theft prevention rule could give physicians the time needed to secure legislative relief from what they say is an overreaching regulation by the Federal Trade Commission.
The commission's "red flags" rule requires entities that regularly extend credit or defer payment for services to implement a formal policy for detecting and preventing identity theft. Despite repeated objections from the American Medical Association and other physician organizations, the FTC counts physician practices as creditors if they bill patients for past services or allow patients to set up payment plans.
The outcry already has prompted the FTC to delay enforcement three times. A fourth postponement -- from Nov. 1, 2009, to June 1, 2010 -- came at the request of congressional lawmakers and could be followed by enactment of a new bill that would exempt practices with 20 or fewer employees. That measure passed the House on Oct. 20 and awaits action by the Senate Committee on Banking, Housing and Urban Affairs.
A recent court ruling exempting lawyers from the rule also may demonstrate how physicians can seek additional recourse.
The AMA welcomed the latest reprieve and said the legislation is a good first step. But organized medicine continues to press lawmakers for a bright-line rule removing all physicians from the regulation's reach, citing concerns that the unfunded mandate imposes an excessive strain on practices.
"For over a year, the AMA has continued to make the case to the FTC that physicians are not creditors, and the red flags rule should not apply to them -- now attorneys and members of Congress are also rightly raising concern with the FTC's broad interpretation," said AMA President-elect Cecil B. Wilson, MD. "The FTC's latest delay of seven months should give them the time they need to take a good, hard look at the rule and finally revise the list of groups to which it applies."
Too many physician practices still would be left behind by the legislation passed by the House, said Amy Nordeng, the Medical Group Management Assn.'s government affairs counsel. For instance, while many practices have fewer than 10 doctors, once employees are counted, the threshold of 20 or fewer workers could easily be exceeded.
Other provisions would exempt entities that:
- Know all of their customers individually.
- Only perform services in or around their customers' residencies.
- Have never experienced incidents of identity theft or are in an industry where such occurrences are rare.
But the criteria remain vague, and the bill leaves it up to the FTC to determine if a particular business would qualify, Nordeng said.
"The fact Congress is willing to carve out a piece of [the red flags mandate] is positive. ... But we don't think by any stretch that this bill gets all practices out" from under the rule, she said. In addition, being considered a creditor could subject a practice to additional types of requirements whether or not the identity theft requirement applies, she added.
In an Oct. 28 letter to Rep. John Adler (D, N.J.), the House bill's sponsor, the AMA urged Congress "to advance legislation that would protect physicians from the broad application of creditor laws such as the red flags rule."
A recent court victory for the legal profession could be good news for physicians, said Peter F. McLaughlin, a health care privacy and security expert and senior counsel in Foley & Lardner LLP's Boston office.
In a preliminary ruling, the U.S. District Court for the District of Columbia on Oct. 30 blocked the FTC from applying the red flags rule to attorneys, suggesting the agency may have overstepped its bounds. The AMA was not involved in the suit, brought by the American Bar Assn.
A final court order is pending. But "if the view of the court is that the FTC made an error and was way too broad in its definition and use of the term creditor, there's a pretty good likelihood many other groups, such as the health care profession, would be able to make similar arguments," McLaughlin said.
At this article's deadline, no legal action by the medical community had been initiated. The FTC did not return calls seeking comment but hinted at a possible appeal of the court ruling in its announcement of the most recent red flags delay.
Meanwhile, absent any legislative or legal relief, physicians are urged to take advantage of the latest postponement to examine their practices for potential medical identity theft warning signs and be prepared to adopt a compliance plan if ultimately required, Nordeng said.