The FTC has again delayed enforcement of the Red Flags Rule, which requires financial institutions and other "creditors" to establish identity theft protection programs to (i) identify "red flags" that would indicate that a customer or client might be the victim of identity theft, (ii) detect when a "red flag" has been raised, and (iii) take steps to address any identity theft situation that comes to light.
This is the third delay of the effective date of the Rule. The Rule was supposed to be effective January 1, 2009, for most "creditors" (financial institutions have been subject to the rule since November 2008), but the effective date was delayed to May 1, 2009, due to confusion regarding who might be considered a "creditor," and specifically whether such designation should apply to physicians. On the day before the May 1, 2009, deadline, the FTC announced that it would push the deadline back to August 1, 2009, and would provide a template that creditors could use to form their own identity theft prevention programs. As the August 1, 2009, deadline loomed, without the promised delivery of the template from FTC, the agency again decided to extend the deadline, this time until November 1, 2009.
The AMA is engaged in a highly-publicized fight with the FTC over whether physicians should be considered "creditors" at all. The FTC has stated that it considers physicians to be "creditors" because of the customary delay between providing services and collecting payments, but the AMA has not conceded the fight yet and has threatened to sue the FTC and force it to re-issue the Red Flags Rules in the Federal Register (at least as relates to the applicability to physicians) and re-open the regulations for public comment.
Interestingly, the FTC's announcement that it was moving the May deadline came in a press release titled "FTC Will Grant Three-Month Delay...", while the announcement moving the August deadline is titled "FTC Announces Expanded Business Education Campaign on Red Flags Rule." Instead of focusing on the need to give businesses more time to construct their programs, the most recent announcement focuses on the FTC's "redoubl[ing] its efforts to educate" small businesses and "providing additional resources and guidance..." The press release specifically notes that alleviating the burden on health care providers is an impetus behind the new delay.
The prospect of medical identity theft is particularly acute with health care providers, and the actual burden of complying with the Red Flags Rule is relatively light. Therefore, most health care providers should consider implementing an identity theft prevention program and complying with the Red Flags Rule, even if relief is granted by the FTC. If you need assistance doing so, please contact Jeffery Drummond at 214.953.5781 or jdrummond@jw.com.
If you wish to be added to this e-Alert listing, please
CLICK HERE
to sign up. If you wish to be removed, please reply to this e-mail with REMOVE in the subject line and include your first and last name.
