What’s Become of the Red Flags Rule?
A series of lawsuits, legislation, and lobbying continues to hold up enforcement of the Red Flags Rule, now nearly a year-and-a-half past its original enforcement deadline. After four delays, many in healthcare are wondering what has happened to the rule and if healthcare providers will be exempted from it.
Enforcement of the rule is currently scheduled to begin June 1, but several recent events may keep the rule in limbo.
FTC: A Wide View of “Creditors”
An amendment to the Fair and Accurate Credit Transaction Act of 2003 created the Red Flags Rule, which requires financial institutions and any institutions considered “creditors” to develop, implement, and monitor identity theft prevention programs.
Congress gave the FTC authority to develop and enforce the rule. After studying the act, the FTC determined that the rule should cover not just financial institutions but any business that acted as a creditor by providing a service and then billing after the fact or in post-service installments.
That included healthcare providers, lawyers, accountants, and others. Healthcare providers are open to identity theft and covered by the rule, FTC officials said, because thieves can obtain treatment using a victim’s identity and then leave the victim with the bill.
FTC published its rule in November 2007 and set the enforcement date as November 2008. Meeting with resistance and continuing requests for clarification, it began announcing a series of delays.
Supporters of the rule say a lack of enforcement is leaving healthcare providers open to medical identity thieves. But opponents say the FTC overstepped its authority and unfairly included healthcare under the rule, and they want the rule amended.
Groups like the American Medical Association and American Dental Association have been lobbying the FTC and Congress to exempt healthcare organizations. The FTC has resisted, saying it does not have the authority to exempt any industry that qualifies as a creditor under the terms of the law. Only Congress or the courts can create an exemption, it says.
And, indeed, Congress and the courts have gotten involved.
House of Representatives: A Burden on Small Business
In October 2009 a bill sped through the House of Representatives that would exempt healthcare, legal, and accounting practices of 20 or fewer employees from the Red Flags Rule. The bill passed unanimously and now is awaiting a hearing with the Senate Committee on Banking, Housing and Urban Affairs.
Supporters of the bill claim that Congress only intended the rule to cover larger financial institutions and other traditional lenders and that the FTC has created an undue burden on small practices.
The rule “would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program,” said Rep. John Adler (D-NJ), one of the bill’s sponsors, in introducing the bill to the House.
However, groups including AHIMA oppose the exemption, noting that nearly half of healthcare providers operate in practices of six employees or fewer, and exempting them would leave a large share of providers without any requirement to implement medical identity theft prevention plans.
It is unlikely that the Senate committee will get to the House bill before the FTC’s June 1 enforcement deadline, according to Don Asmonga, director of government relations at AHIMA. He expects the committee to work on a long list of other issues.
If the Senate does not act on the bill before Congress adjourns in October, the current bill will die and would need to be reintroduced in the House next year.
The FTC issued its most recent postponement to allow the Senate time to consider the House bill. With the enforcement deadline fast approaching, the FTC has not yet decided what to do if the Senate does not act before June 1, says Naomi Lefkovitz, an attorney with the FTC.
US District Court: “Plainly Erroneous”
The rule has landed the FTC in court, also. Trade associations have launched lawsuits against the FTC to exempt their industry professionals from the rule, most notably the American Bar Association.
In October 2009 the US District Court for the District of Columbia ruled that attorneys should be exempted from the rule because the FTC’s inclusion of attorneys as creditors was “both plainly erroneous and inconsistent with the purpose underlying the enactment of the FACT Act,” court documents state.
Soon after the court’s ruling, the American Institute of Certified Public Accountants filed a similar lawsuit asking that accountants also be exempted from the rule.
If healthcare providers want an exemption, experts following these cases expect they will need to file a lawsuit, also.
No lawsuit had been filed by March; however, the American Medical Association has opposed the inclusion of physicians in several letters to the FTC.
“This regulation adds additional financial and administrative burdens upon physician practices given that it duplicates existing Health Insurance Portability and Accountability Act privacy and security requirements,” AMA executive vice president Michael Maves wrote in one letter.
The AMA also argues that practice physicians are not creditors because most do not “regularly extend, renew or continue credit.”
Compliance Date Long Past
Healthcare providers should not wait to see if the June 1 deadline holds firm, says Chris Apgar, CISSP, president of healthcare consulting company Apgar and Associates. He reminds healthcare professionals that only the rule’s enforcement deadline has been delayed—the compliance deadline passed more than two years ago when the FTC published its final rule.
An extended version of this article appears in the AHIMA Body of Knowledge.