eAlerts What do you need to do about the ftcs red flag rules 10.27.08

WHAT DO YOU NEED TO DO ABOUT THE FTC'S "RED FLAG" RULES?

October 27, 2008

Prevending Medical Identity Theft

The Federal Trade Commission last week postponed the implementation date of the “Red Flag” rules from November 1, 2008 to May 1, 2009. During the six-month reprieve, physicians will have two tasks:

To figure out whether the Red Flag rules apply to medical practices. This will depend largely on whether organized medicine succeeds in persuading the FTC that physicians who accept deferred payment are not “creditors” within the meaning of the regulation, and
To make their best guess at the outcome of the persuasion efforts and to prepare to establish the programs and protocols required by the Red Flag rules to detect, prevent and mitigate medical identity theft.

This is the issue: the Identity Theft Red Flags regulations and guidelines (16 CFR 681.2), which were promulgated in November 2007 pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACTA), require financial institutions and creditors to develop and implement written “identity theft prevention programs.” The programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Developing new written policies and procedures to identify, detect and prevent “red flag” activities, and updating these as needed, would obviously constitute a significant burden for physicians. So would the additional requirements, as summarized by the Medical Group Management Association (FTC Red Flag rules may apply to certain medical group practices, MGMA Washington Connexion, October 1, 2008), for a medical practice to:

Obtain approval of the program from its board or board committee;
Involve the board or senior management designee(s);
Train staff; and
Exercise oversight of service provider arrangements...

Do anesthesiologists, pain management physicians, and CRNAs come within the FACTA definition of “creditor” as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. ‘Credit’ includes a right granted to defer payment for any purchase.” (http://www.ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf)

“Thus,” according to the FTC, “any person that provides a product or service for which the consumer pays after delivery is a creditor.” Medical societies have objected strongly to FTC attorneys’ view that this definition covers physicians. In a September 30 letter to the FTC, the American Medical Association and the MGMA, along with many other groups, questioned “if it is a correct interpretation of the final rule to advise that physicians are creditors if they bill patients after their services are rendered. That would lead to the result that anyone issuing a bill or invoice for services rendered would, by definition, be a creditor, which we do not believe is the intent of the statutory and regulatory scheme.” (http://www.ama-assn.org/ama1/pub/upload/mm/31/ftc_letter20080930.pdf)

As the AMA letter noted, patient information already enjoys substantial protection from disclosure under the HIPAA privacy and security laws.

ABC will be following the debate closely and will publish updates including how-to advice on compliance with the Red Flag rules as more information becomes available. If it seems likely that the FTC view of physicians as creditors will prevail, we will work with our clients to put the requisite programs and procedures in place. You are welcome to submit questions to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . Answers of general applicability will be provided by Karin Bierstein, JD, MPH, Vice President for Strategic Planning and Practice Affairs, in future communications.

We hope, of course, that this new regulatory burden will soon become a moot point for all anesthesiology and pain management practices.