Deadline may not be extended, as before

The FTC “Red Flags Rule” requires a broad range of companies to install identity theft protection programs by December 31, 2010. Red Flags are warning signals to alert a business to potential identity theft. Previously, the deadlines have been extended by the FTC, due to the volume of complaints by multiple industries, not the least of which were healthcare providers, particularly the powerful American Medical Association (AMA).

Notwithstanding any extension by the FTC, companies should be prepared to adopt programs to identify these “”Red Flags, then detect, mitigate and deal with identity thefts if and when they occur. Such programs and procedures will likely require changes to computer systems and access security, patient information security, perhaps even hiring and privacy policies, and while there is some overlap, this rule goes beyond what providers have already done for HIPAA compliance.

On November 1, 2008, the Federal Trade Commission (FTC) set new “creditor” rules which apply to virtually all healthcare providers, and agreed to give healthcare providers six months to comply with the new Red Flag Rules before it started enforcing them. That first delay expired May 1, 2009, yet most providers were still completely unaware of the new rules.

The so-called “Red Flag Rules” require that “creditors” (meaning any business that has consumer accounts susceptible to identity theft) implement policies and procedures for detecting, preventing and mitigating the crime.

Basically, if an organization allows a consumer to make multiple payments, that organization is considered a “creditor” and is subject to the rules. When a provider lets patients stretch out payments on a service, or send a bill through the mail instead of demanding immediate payment, that provider then falls under the rules.

In 2008, the American Medical Assn. (AMA) argued that physicians are not creditors because most do not “regularly extend, renew or continue credit.” and therefore, the rule’s definition of a creditor does not include physicians or other types of providers. The AMA also pointed out that providers are already covered in this manner under HIPAA. The AMA also argued that application of the rule might have unintended consequences on the practice of medicine.

The FTC disagreed in a Feb. 4 letter sent in response to the AMA.

Although the Rule became effective January 1, 2008, requiring full compliance for all covered entities by November 1, 2008, the FTC has delayed enforcement of the Rule, several times. In October 2009, at the request of certain Members of Congress, enforcement was delayed until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. However, due to another request from Members of Congress, enforcement was delayed again until June 1, 2010.

On May 28, 2010, with no action yet by Congress, the FTC announced that it would again delay enforcement until after December 31, 2010.

UPDATE: