Red Flags: No Delay for Credit UnionsLatest FTC Extension Applies Only to Physicians
The Federal Trade Commission (FTC) on June 25 signed a court-approved agreement to hold off on enforcing the Red Flags Rule for physicians until at least 90 days after an appellate court rules on a case involving enforcement of the rule for attorneys.
But according to FTC spokesperson Frank Dorman, this agreement has no bearing on state-chartered credit unions or any other entities, which still face the Dec. 31 enforcement date announced at the end of May.
"In the meantime, other folk, such as the credit unions, will have to wait and see what Congress [does]," Dorman says. The latest delay - the fifth since the Red Flags Rule was enacted in 2008 - was designed to give Congress time to decide whether to enact relevant legislation exempting certain groups. "We hope Congress will tell us who will be covered," Dorman says.
Under the Red Flags Rule, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.
Originally, all affected entities - including automobile dealers, utility companies and healthcare providers -- were to show compliance with the Red Flags Rule by Nov. 1, 2008, the same deadline as that met by banks and other financial institutions, including federal credit unions. But in late October of 2008, the FTC extended the deadline by six months for the roughly 11 million entities it oversees. This move was to give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs. Since then, there has been a series of further delays stemming from questions about what types and sizes of entities should be exempt from the Red Flags rule.
Doctors' LawsuitEarlier this year, the AMA and two other physicians groups filed a lawsuit seeking to prevent the FTC from applying the rule to doctors.
In arguing against applying the rule to physicians, the AMA and other associations contended it is unnecessary.
"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patient's medical information," said Peter Lavine, M.D., alluding to the HIPAA privacy and security rules. "It is unnecessary to add to the existing web of federal security regulations physicians must follow," added Lavine, president of the Medical Society of the District of Columbia, which joined in the AMA lawsuit. The Latest Move
In the June 25 "joint stipulation," the FTC agreed that it would not enforce the rule for physicians until 90 days after an opinion is issued by the U.S. Court of Appeals for the District of Columbia Circuit on the American Bar Association's case against the FTC. The lower court ruled in favor of the ABA in its bid to exempt attorneys from the rule, which paved the way for the AMA's suit.
Two U.S. Senators recently introduced legislation to exempt smaller healthcare, accounting and legal practices from the Red Flags Rule.
The Senate bill would exempt practices in the three sectors with 20 or fewer employees. It applies to healthcare professionals, including physicians, dentists, podiatrists, chiropractors, several types of therapists and veterinarians. A very similar bill, H.R. 3763, passed the U.S. House last year on a 400-0 vote.
The June 25 "joint stipulation" document notes that if Congress passes legislation to reinstate FTC enforcement of the Red Flags rule for some or all physicians, that law would take precedence over the court agreement.
Tracy Kitten, Managing Editor, contributed to this report.