FTC Again Delays Red Flags Enforcement

Latest Delay Impacts State-Chartered Credit Unions Reacting to requests from several members of Congress, the Federal Trade Commission has yet again delayed enforcement of the Identity Theft Red Flags Rule until Dec. 31, 2010. The regulation had been slated to be enforced June 1. This is the fifth time that the enforcement date has been pushed back.

Two U.S. Senators recently introduced legislation to exempt smaller healthcare, accounting and legal practices from compliance with the rule.

The Senate bill would exempt practices in the three sectors with 20 or fewer employees. It applies to healthcare professionals, including physicians, dentists, podiatrists, chiropractors, several types of therapists and veterinarians. A very similar bill, H.R. 3763, passed the U.S. House last year on a 400-0 vote.

The FTC "urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the rule and obviate the need for further enforcement delays," the commission said in a statement May 28.

Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.

Banking regulatory agencies have been enforcing the rule for most financial institutions, with the exception of state-chartered credit unions, since November 2008, when the FTC originally was supposed to begin enforcement for non-banking agencies. The FTC's enforcement deadline has been pushed back several times before now.

Earlier this year, the American Medical Association and two other physician groups recently filed a lawsuit seeking to prevent the FTC from applying the rule to doctors.

In arguing against applying the rule to physicians, the AMA and other associations contend it is unnecessary.

"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patient's medical information," says Peter Lavine, M.D., alluding to the HIPAA privacy and security rules. "It is unnecessary to add to the existing web of federal security regulations physicians must follow," adds Lavine, president of the Medical Society of the District of Columbia, which joined in the AMA lawsuit.

Managing Editor Linda McGlasson contributed to this report.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.