FTC Again Delays Red Flags EnforcementLatest Delay Impacts State-Chartered Credit Unions Reacting to requests from several members of Congress, the Federal Trade Commission has yet again delayed enforcement of the Identity Theft Red Flags Rule until Dec. 31, 2010. The regulation had been slated to be enforced June 1. This is the fifth time that the enforcement date has been pushed back.
Two U.S. Senators recently introduced legislation to exempt smaller healthcare, accounting and legal practices from compliance with the rule.
The Senate bill would exempt practices in the three sectors with 20 or fewer employees. It applies to healthcare professionals, including physicians, dentists, podiatrists, chiropractors, several types of therapists and veterinarians. A very similar bill, H.R. 3763, passed the U.S. House last year on a 400-0 vote.
The FTC "urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the rule and obviate the need for further enforcement delays," the commission said in a statement May 28.
Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.
Banking regulatory agencies have been enforcing the rule for most financial institutions, with the exception of state-chartered credit unions, since November 2008, when the FTC originally was supposed to begin enforcement for non-banking agencies. The FTC's enforcement deadline has been pushed back several times before now.
Earlier this year, the American Medical Association and two other physician groups recently filed a lawsuit seeking to prevent the FTC from applying the rule to doctors.
In arguing against applying the rule to physicians, the AMA and other associations contend it is unnecessary.
"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patient's medical information," says Peter Lavine, M.D., alluding to the HIPAA privacy and security rules. "It is unnecessary to add to the existing web of federal security regulations physicians must follow," adds Lavine, president of the Medical Society of the District of Columbia, which joined in the AMA lawsuit.
Managing Editor Linda McGlasson contributed to this report.