"Red Flags" Rule Postponed Yet Again, as Groups Work to Exempt Doctors

The "Red Flags" Rule, aimed at preventing identity theft, was delayed until Dec. 31, as lawmakers, policy enforcers and doctors groups wrangled over whether physicians should be considered "creditors" under the rule.

The controversial "Red Flags" Rule, aimed at preventing identity theft, has been postponed once again by the Federal Trade Commission. Instead of enforcing the rule on June 1, the FTC recently announced it won’t take any action until Dec. 31. At the heart of the controversy is determining exactly who is to be covered under the new rule.

Under the Red Flags Rule, financial institutions and creditors will be required to develop and implement identity theft prevention programs in writing. A “creditor” is defined by the rule as any entity that regularly extends, renews, or continues credit; one that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. (You can find more detailed information here.)

In a prepared statement, the FTC said the delay would give lawmakers time to draw up legislation that would define the “scope of entities covered by the rule.” The House last year passed a bill that would exempt physicians, attorneys and accounting offices with 20 or fewer workers, and a similar bill was introduced in the Senate last month.

Figuring out just what the new rule means by the term “creditor” already has forced several postponements. The rule was originally scheduled to take effect more than two years ago and firms affected had until Nov. 1, 2008, to comply. Since then, enforcement of the new rules has since been delayed five times.

A Breach of Doctor/Patient Trust

The American Medical Association wants doctors to be completely exempt, maintaining that doctors are not creditors in the same sense that banks and other lenders are. The AMA recently filed suit to prevent the government from imposing the rule on doctors, saying it would force them to follow unnecessary and difficult procedures that would do nothing to improve patient care. The AMA also claims that complying with the rule would tend to erode the doctor/patient relationship, which is based on trust.

In addition to making patients prove their identities -- such as presenting a driver’s license or military ID card -- every time they aren’t paying for services in full, the rule would require doctors to set up complex identity theft prevention programs.

What might compliance to the new prevention program look like? According to the FTC, if physicians are eventually covered by the rules, he or she must:

1. Identify the kinds of red flags that are relevant to your practice;

2. Explain your process for detecting them;

3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and

4. Spell out how you’ll keep your program current.

What Constitutes a "Red Flag"

Unfortunately, there are no hard-and-fast rules on what constitutes an identity theft “red flag,” though the FTC suggested some of the following warning signs that may be relevant for healthcare professionals:

• Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient’s appearance? Did the patient give you other documentation inconsistent with what he or she has told you (for example, the wrong date of birth or a chronic medical condition not mentioned elsewhere? If so, you may need to ask for additional identification or information from that patient.

• Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file or from the insurer.

• Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.

• Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.

Though it remains unclear who will ultimately be covered under the new rules, the AMA compiled this sample policy to give physicians and their office managers some guidelines on how a practice might comply if and when the FTC decides to implement the rule.