Legislation: FTC delays enforcement of ID theft regulations

November 26, 2008

Last month many physicians received a reprieve from the federal government ? and most probably didn?t even realize it.

Last month many physicians received a reprieve from the federal government – and most probably didn’t even realize it.

In October, the Federal Trade Commission delayed enforcement from Nov. 1, 2008, to May 1, 2009, of its so-called “red flags” rules, which require creditors to establish a written program for combating identity theft. In a controversial move, the FTC has defined most physicians as “creditors,” drawing fire from the American Medical Association and other medical groups, who argue that the FTC is too broadly defining the term.

The red flags rules are based on legislation that defines a creditor as “any person who grants the right to defer payments,” says Naomi Lefkovitz, an attorney in the FTC’s division of privacy and identity protection. Using this definition, the red flags rules would apply to physicians who accept payment, either in part or in full, at a time after they provide medical services to patients.

Under the red flags requirements, creditors must create a written program listing warning signs for ID theft, how they’ll detect those threats, and how they’ll respond, Lefkovitz says.

According to the AMA, typical medical ID theft warning signs physicians should be on the lookout for include:

Records showing medical treatment that is inconsistent with a patient’s history

Suspicious documents, such as a forged insurance card

A patient who has an insurance number but no card or documentation

Unusual billing patterns

The FTC delayed its enforcement of the red flags rules because there was “lots of confusion” about the rules among “entities not accustomed to being regulated by the FTC,” Lefkovitz says. Once the rules take effect, the FTC will have the right to fine violators $2,500 per offense. The agency typically learns of violations through consumer complaints, but it also may launch its own investigations, she says.

In a letter sent to the FTC in October, the AMA and 26 other medical organizations said they “strongly disagreed” with the FTC’s decision to define physicians as creditors. “Physicians should not be considered creditors simply because they accept insurance and hold the patient responsible for the amount(s) unpaid by insurance,” the letter states.

Lefkovitz says the FTC has “no response” to the AMA’s statements.

Mike Brown, CHBC, a practice management consultant with Health Care Economics in Indianapolis, says few doctors he’s spoken with recently are aware of the red flags rules. “No one is worried about this or even mentions it,” he says via e-mail.

Hospitals apparently aren’t paying much attention, either. In a survey of 100 hospitals, 91 said they’re not compliant with red flags rules, 73 were surprised to find out the rules applied to them and 60 said it would cost them more than $10,000 to comply. The survey was conducted by Compliance Coach, a San Diego-based compliance software developer.