The oft-delayed implementation deadline for the FTC’s Red Flag identity theft protection rules has been put off for a fifth time, through December 31, 2010. The last extension would have kicked in on June 1, 2010. The FTC cited ongoing legislative efforts to clarify the application of the law to certain entities, particularly H.R. 3763 which has passed the House and is awaiting Senate action. The bill would exempt a health care practice with 20 or fewer employees; an accounting practice with 20 or fewer employees; a legal practice with 20 or fewer employees; or any other business, if the FTC determines, following an application for exclusion by such business, that such business—(i) knows all of its customers or clients individually; (ii) only performs services in or around the residences of its customers; or (iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.


Coincidentally or not, on May 21 the American Medical Association (AMA), American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC) filed a suit in federal court seeking to prevent the FTC from extending identity theft regulations to physicians.


The Red Flag rules were added to the Fair Credit Reporting Act and were ostensibly designed to require “creditors,” such as banks and credit card issuers, to implement policies to identify and prevent misuse of financial and personal information. The term “creditor” was defined broadly to include many professional practices who accept deferred payments, and the AMA and other professional societies contend that the FTC’s interpretation exceeds its legal authority.