AMA Files Lawsuit over Red Flags Rule

The American Medical Association and other healthcare groups have filed a lawsuit against the Federal Trade Commission to exempt physicians from the embattled Red Flags Rule. The suit, filed May 21, 2010, comes just days before the rule’s June 1 enforcement deadline.

The Red Flags Rule requires financial institutions and other “creditors” to implement safeguards against identity theft. In part, covered organizations must develop reasonable processes to detect “red flags” that would alert them to fraudulent activity, such as a patient who does not resemble the photo on the ID card he or she presents.

The FTC determined that healthcare providers are creditors under the rule because they routinely provide services and then bill patients after the fact.

The AMA, along with the American Osteopathic Association and the Medical Society of the District of Columbia, filed the suit claiming that their members are not “creditors” as defined by the law, which was passed by Congress as part of the Fair and Accurate Credit Transactions Act of 2003. The group also says the rule could harm patient care and duplicates safeguards already in place for healthcare providers.

AMA: Rule Unnecessary, Harmful

The lawsuit complaint states that the FTC’s interpretation of the rule exceeds the powers delegated to it by Congress and that the rule’s application to physicians is “arbitrary, capricious and contrary to the law.”

“This unjustified federal regulation of medicine treats physician practices like banks, credit card companies, and mortgage lenders,” said AMA president-elect Cecil B. Wilson, MD, in a press release. “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”

Physicians provide services to patients before seeking payment, not as an official extension of “credit,” the suit states, but to ensure patients receive proper treatment in a timely manner and regardless of their ability to pay. AMA claims the Red Flags Rule would put an unjust burden on providers to verify the identities of their patient before treatment, which the association states is unethical.

AMA’s suit goes on to state that enforcing an identity theft program would harm the physician-patient relationship by forcing physicians to be suspicious of a new patient’s identity.

“The FTC’s attempt to impose a duty upon physicians to investigate each patient’s identity in advance of treatment conflicts with basic precepts concerning the patient-physician relationship and physicians ethical responsibilities to safeguard that relationship,” the suit states. “The FTC… compromises physicians’ ability to gain new patients’ trust, which is essential to the well-being of patients.”

The regulations are also unnecessary since providers are already covered by the HIPAA and HITECH regulations, the suit claims, which already require providers to keep patient information secure and confidential.

FTC officials have stated that the Red Flags Rule places only a small burden on healthcare providers while delivering a highly effective safeguard against medical identity theft. FTC offers specific guidance to help providers implement basic programs that will protect patients both financially and medically, officials said.

Long Battle Continues

The AMA’s lawsuit comes after two years of communication with the FTC on the rule. The rule’s original enforcement deadline was November 2008, but it has been postponed four times as groups including the AMA put pressure on the FTC to clarify or amend the rule. Congressional requests to delay also pushed back enforcement.

On January 27, 2010, the AMA and several other healthcare groups petitioned the FTC to exclude healthcare providers from the Red Flags Rule. The FTC responded on March 25, 2010, saying they would not exempt the groups.

AMA filed the exemption request in light of a ruling from the US District Court for the District of Columbia in October 2009 that attorneys, which the FTC also included under the rule, were exempt because they did not fit the creditor definition. The FTC has since appealed that ruling.

In November 2009 an accountants association filed a similar suit against the FTC in the same DC court. The AMA also filed its lawsuit in the same court.

Congress entered the fray in October 2009 when the House of Representatives passed a bill that would exempt small legal, accounting, and healthcare practices from the rule. That bill was sent to the Senate Committee on Banking, Housing and Urban Affairs, where it currently awaits action.

The Risks of Exemption

AHIMA has come out in support of healthcare’s inclusion in the Red Flags Rule. In a letter to the chair of the Committee on Banking, Housing and Urban Affairs, AHIMA wrote that exempting small practices could open up healthcare to more medical identity theft at a time when such crimes are on the rise.

Medical identity theft is a persistent problem in healthcare, the letter stated, and the impact on patients can go far beyond financial hardship, even threatening care when an imposter’s medical information gets mixed into the patient’s record.


  1. I support AHIMA’s view on not exemtpting the smaller practices regarding the Red Flags Rule. In my opinion the smaller practices do not have the resources for implementation or monitoring of the policies needed to protect the confidentiality and/or disclosure of a patient’s medical records such as a Privacy Officer or Compliance Officer. Therefore putting them at greater risk for medical identity theft.

    Post a Reply
  2. Ifeel that the Red Flag Rule has merit, in that it is trying to stop medical identity theft, but in reality it is just another attempt by governmentto legislate medicine. The government, over the last few years, has so over burdeded health care with regualtions,to the point that some facilities and physician practices are being regulated out of business. Hospitals and physicians are not banks or other types of financial institutions and should not be required to verify a patients identity before rendering care, beyond the normal precautions anyone takes when verifying insurance and registering patients.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!