FTC Responds To AMA's Challenge To The Identity Theft Red Flags Rule's Applicability To Physicians
March 2, 2009
In brief, the Red Flags Rule requires each "financial institution" and "creditor" that has one or more "covered accounts" to develop and implement a written identity theft prevention program. Such a program must be designed to detect, prevent and mitigate identity theft in connection with the opening of new "covered accounts" or activity relating to existing "covered accounts."
The FTC's response rejects the AMA's multiple arguments that physicians are not "creditors." In its ruling, the FTC states that physicians and other health care providers are "creditors" under the Red Flags Rule, even if they do not consider themselves such, if the provider performs a service and then defers the patient's payment for the services to a future point in time.
The identity theft prevention program required under the Red Flags Rule is not designed to be one-size-fits-all. Instead the FTC stresses the flexibility of such programs and their need to be tailored to the degree of identity theft risk faced by a provider, which for many providers could be "minimal or non-existent."
A low risk of identity theft does not mean that no Program is needed, but does allow a provider to use a "simple and streamlined program" to fulfill any obligations under the Red Flags Rule. Unfortunately, at present, the FTC has not offered any bright-line test for who is high-risk or low-risk under the Rule.
Nevertheless, throughout the response, the FTC speaks of collaboration, working together, and helping the AMA and providers become compliant so as to minimize the Red Flags Rule's potential burden on health care providers. Perhaps, this spirit of collaboration will result in sample programs or other guidance being made available to AMA members in the coming months.
The FTC's response clarifies that the Red Flags Rule complements HIPAA's regulations protecting patient data, while also focusing on reducing medical identity theft (the misuse of a patient's name or insurance information to obtain services) beyond electronic data. The response confirms the six-month forbearance period for the Rule's enforcement, which ends May 1, 2009.
With this in mind, physicians and other health care providers should develop or review their procedures for handling covered accounts through an appropriate new or existing identity theft prevention program for their businesses based on their identity theft risks. Call us if you need assistance in developing a program or assessing your identity theft risks before enforcement begins in May!
The Firm's Privacy Team regularly works with the Health Care Practice Group to provide in-depth counseling and compliance planning on the Red Flags Rule and related information security and privacy matters. An earlier Firm Alert on compliance with the Red Flag Rules may be found here.
This Client Alert is a publication of the Health Care Practice Group at Womble Carlyle Sandridge & Rice, PLLC. Readers are urged to consult with their regular contacts at the firm or
Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.
IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice within this client alert is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in a client alert.