HIPAA, HITECH & HIT :: Fox Rothschild LLP

Update: President Obama signed S. 3987 as Public Law No: 111-319 [Text, PDF] on December 18, 2010.

* * *

Physicians will no longer be defined as "creditors" under the controversial "Red Flag Rules," when clarifying provisions are signed into law as expected.  The House of Representatives has unanimously passed S. 3987, the "Red Flag Program Clarification Act of 2010" which was previously approved by the Senate.  The bill now goes to President Obama for his signature.  

The brief bill redefines "creditor" to exclude service providers that advance funds on behalf of a person for expenses incidental to a service they provide to that person. The Red Flag Rule was designed to require creditors such as banks, credit card companies and other lenders, to implement various safeguards to protect their clients from identity theft.  

The original statute defined "creditor" broadly, and the FTC initially interpreted it to apply to physicians and other professionals who bill their clients for services, believing that they were obligated to do so by the statutory language. After being bombarded with complaints, FTC chairman Jon Liebowitz assured physicians that his agency was pushing Congress to work quickly to fix the Red Flag Rule that he said had "unintentionally swept up countless small businesses – including every doctor, dentist, lawyer, gardener, plumber, and housekeeper who bill customers on a monthly basis."

The effective date of the Red Flag rules has been postponed several times, most recently in June, and will take effect for other creditors on January 1, 2011.  The American Bar Association and other professional societies had sued the FTC earlier this year and the federal agency had agreed to delay enforcement for attorneys, physicians and accountants until the appeal of that ruling was heard - it remains pending but will be rendered moot by this legislation 

• Print
• Comments
• Trackbacks
• Share Link

More breathing room for physicians under the Red Flag rule: Following the blanket compliance extension through December 31, 2010, the FTC has announced that it had reached a joint legal stipulation with the AMA, the American Osteopathic Association and the Medical Society of DC stating that it would not pursue enforcement of the rule against physicians pending the results of an appeal of a decision striking down the application of the rule to law firms. 

In an article posted by Modern Healthcare (registration required), it was reported that on June 25, the FTC agreed to a stipulation with the three medical societies who brought suit to block the agency from applying the rule to medical practices. The American Bar Association's motion for summary judgment for declaratory and injunctive relief from the Rule's application to lawyers was granted. The FTC has appealed this decision, and has agreed to postpone enforcing the rule against physicians until the appeal is decided. If Congress does not act to modify the rule before January 1, 2011, this stipulation will continue to exempt physicians from compliance until the conclusion of the appeal process. 

In a June 14 speech before the AMA’s House of Delegates (entitled A Doctor and a Lawyer Walk into a Bar: Moving Beyond Stereotypes), FTC chairman Jon Liebowitz defended his agency’s reputation and emphasized the pro-physician efforts it has undertaken: 

Fastidious bureaucrats aren’t pushing Congress to work quickly to fix the Red Flags Rule that has unintentionally swept up countless small businesses – including every doctor, dentist, lawyer, gardener, plumber, and housekeeper who bill customers on a monthly basis – the FTC is.  

Let me assure you, we feel your pain on red flags, and we want to fix it. We agree with you that the red flags rule reaches too far. We have delayed enforcement of the rule to give Congress an opportunity to legislate a solution. As to doctors, I am pleased to announce that the FTC, as part of a stipulation with the AMA, will not enforce the rule against any AMA or state medical society members until the court of appeals resolves the issue. And we call on Congress to do that sooner rather than later; the financial reform legislation moving right now is a perfect opportunity. 

The stipulation text has not been released, so it is not clear whether this enforcement moratorium applies to all physicians or only those who belong to the societies who brought the suit.

• Print
• Comments (1)
• Trackbacks
• Share Link

On May 28, 2010, William H. Maruca, editor of this blog, reported in a post entitled Red Flag Reprieve - Déjà vu All Over Again that, under pressure from Congress, the Federal Trade Commission (“FTC”) had agreed to postpone enforcement of its “Red Flags Rule” until January 1, 2011.  

On June 1, 2010, an article in The National Law Journal  discussed the  postponement insofar as enforcement of the Red Flags Rule by the FTC against doctors, lawyers, and other professionals would require them to develop written identity theft prevention programs.  The article further noted that the postponement followed separate lawsuits by the American Bar Association and the American Medical Association and other physician associations on behalf of their respective professionals against the FTC, arguing that imposing the identity theft rule requirements on their members is arbitrary, capricious and has no legally supportable basis.  The article quoted FTC Chairman Jon Leibowitz as stating that Congress needs to clarify and fix problems in the application of the Red Flags Rule quickly to permit the FTC to carry out its enforcement obligations.

“Financial Institutions” and “creditors” with “covered accounts” are governed by the Red Flags Rule.  Therefore, a physician, other healthcare provider or lawyer could be subject to the Red Flags Rule if any activities meet the definition of a creditor with a covered account.  This broad definition essentially includes anyone who bills after providing services or allows patients or clients to defer payment.  One could be deemed a creditor simply because it allows a patient or client to defer payment for medical or legal services rendered. 

The “final” Red Flags Rule was promulgated by the FTC as long ago as November 9, 2007 under the Fair and Accurate Credit Transaction Act of 2003.  The original compliance date for the Red Flags Rule was November 1, 2008.  However, because many healthcare providers and professionals were unaware of or uncertain as to whether the requirements of the Red Flags Rule applied to them, the FTC delayed the initial enforcement date to May 1, 2009.

Discussions and correspondence between the healthcare sector and the FTC to clarify whether health care providers, such as physicians and other providers such as hospitals, must comply with the Red Flags Rule followed.  As a result of those discussions and the subsequent lawsuits discussed above, the FTC suspended enforcement of the Red Flag Rule multiple times, with the most recent enforcement deadline date being postponed to January 1, 2011.

Significant changes with respect to the application of the Red Flags Rule may be on the horizon for the healthcare industry.  It is not clear that Congress will act or, if it does, that the legislation will clearly define the applicability of the Red Flags Rule to a specific type of healthcare provider. Providers should keep apprised of developments that may affect them.

• Print
• Comments
• Trackbacks
• Share Link

 The oft-delayed implementation deadline for the FTC’s Red Flag identity theft protection rules has been put off for a fifth time, through December 31, 2010. The last extension would have kicked in on June 1, 2010. The FTC cited ongoing legislative efforts to clarify the application of the law to certain entities, particularly H.R. 3763 which has passed the House and is awaiting Senate action. The bill would exempt a health care practice with 20 or fewer employees; an accounting practice with 20 or fewer employees; a legal practice with 20 or fewer employees; or any other business, if the FTC determines, following an application for exclusion by such business, that such business—(i) knows all of its customers or clients individually; (ii) only performs services in or around the residences of its customers; or (iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.

Coincidentally or not, on May 21 the American Medical Association (AMA), American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC) filed a suit in federal court seeking to prevent the FTC from extending identity theft regulations to physicians.

The Red Flag rules were added to the Fair Credit Reporting Act and were ostensibly designed to require “creditors,” such as banks and credit card issuers, to implement policies to identify and prevent misuse of financial and personal information. The term “creditor” was defined broadly to include many professional practices who accept deferred payments, and the AMA and other professional societies contend that the FTC’s interpretation exceeds its legal authority.

• Print
• Comments
• Trackbacks
• Share Link

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010.  Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009. 

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule.  On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate. 

What does all the foregoing mean for the health care industry?  For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.  

• Print
• Comments
• Trackbacks
• Share Link

    Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009.  The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.  Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement.  If the ABA were to go down that route, others could follow suit (excuse the pun). 

     So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . .  but should they?

     In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers' compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care.  In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this. 

     The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider -- and, thus, should be manageable, both from an administrative and financial standpoint.   On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized.  The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem. 

     To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

• Print
• Comments
• Trackbacks
• Share Link

This morning, the Federal Trade Commission (FTC) announced it will delay (again) enforcement of the new “Red Flags Rule,” now until August 1, 2009 to give affected entities more time to comply. In the press release, FTC Chairman Jon Leibowitz said:

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC release points out that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

The news Release states that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC will be releasing templates to help them comply with the law. The FTC also already has a number of materials posted to help explain what types of entities are covered by the FTC Red Flag Rules and to provide guidance. See: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm and www.ftc.gov/redflagsrule.

• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission issued an announcement today that the deadline to implement the Red Flag requirements pertaining to identity theft has been delayed for six months, making the new compliance deadline May 1, 2009. 

In its Enforcement Policy Statement, the FTC states:

During the course of the [FTC]’s education and outreach efforts following publication of the rule, the [FTC] has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.” Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008.

Given the confusion and uncertainty within major industries under the FTC’s jurisdiction

about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the [FTC] believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial to the public. Delaying [FTC] enforcement of the rule as to the entities under its jurisdiction by six months, until May 1, 2009, will allow these entities to take the appropriate care and consideration in developing and implementing their programs. It also will give the [FTC] time to conduct additional education and outreach regarding the rule. Therefore, the Commission has determined that it will forbear from bringing any enforcement action for violation of the Identity Theft Red Flags.

Therefore, creditors, including healthcare providers that defer payment for goods and services,  now have additional time to develop and implement Red Flags for identity theft.

• Print
• Comments
• Trackbacks
• Share Link

The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC's Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC's June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered 'creditors'" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009. 

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.

• Print
• Comments
• Trackbacks
• Share Link