"Red Flags" Delayed Again; Lawyers in the Clear (for Now)
By: Jeff Drummond
Once again, the Federal Trade Commission (FTC) has delayed the effective date for enforcement of the "Red Flags" Rule, this time at the specific request of House lawmakers. The Rule, originally published by the FTC in November 2007 as required by the Fair and Accurate Credit Transactions Act of 2003, requires financial institutions and "creditors" to adopt identity theft prevention plans in order to spot indicators of identity theft (the proverbial "red flags") affecting their customers or clients. While financial institutions have been subject to the Rule for some time, businesses meeting the somewhat loose definition of "creditor" originally had until November of 2008 to come into compliance.
CLICK HERE to view the FTC press release announcing the extended deadline.
Due to a great deal of consternation about the applicability of the Rule and who met the definition of "creditor," the FTC serially delayed the implementation date of the Rule, with the most recent extension ending November 1, 2009. Much of the delay was in response to harsh attacks on the FTC for including certain businesses in the definition of "creditor." The AMA (and multiple other physician professional organizations) wrote letters to the FTC asking that physician offices be removed from the definition of "creditor," and the ABA sued the FTC for attempting to make the Rule applicable to lawyers. Last week, the Federal District Court ruled in the ABA's favor, stating that the FTC had exceeded its authority in applying the Rule to lawyers.
The House of Representatives recently passed legislation (with a vote of 400-0) to remove health care, legal, and medical businesses with 20 or fewer employees from the definition of "creditor." The Senate has yet to take up a similar measure. Given the strong support in the House, some lawmakers asked the FTC to again delay the November 1 enforcement date, which the FTC agreed to do on October 30; the latest delay pushes enforcement to June 1, 2010. The FTC noted the court loss in its press release announcing the delay, but specifically stated that the delay did not impact the possibility that it might appeal.
There is a good argument that the term "creditor" was not intended to include physicians and physician groups. However, it is easy to adopt an ID theft prevention plan, and such a plan would make an excellent compliment to a medical practice's HIPAA privacy and security policies. Physician practices will not need to adopt such a plan until at least June of next year, and small practices might eventually be statutorily exempted from any such requirement. However, it is good practice to at least consider whether such a plan is appropriate, even if it is not required.
If you have any questions regarding this e-Alert, please contact Jeff Drummond at 214.953.5781 and jdrummond@jw.com.
Below is a list of previous e-Alerts written on the Red Flags Rule:
|
