In Nov 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. At that time, indications pointed to the FTC considering physician practices to be subject to those requirements. However, the American Medical Association (AMA) and other physician groups strongly expressed their concerns and successfully delayed implementation until the ruling could be studied. For more information and background on these regulations, please refer to the AMA Web site Data Security Section.
Red Flags Rule clarified
On Dec 18, 2010, just weeks before the ruling would go into effect, President Obama signed the “Red Flag Program Clarification Act of 2010,” which clarifies the type of “creditor” that must comply with the Red Flags Rule. This law supports medical groups’ long-standing argument that the Red Flags Rule should not be applied to physicians generally. The ruling will keep most doctors from having to comply with certain identity theft protection measures such as installing monitoring programs; however, the FTC stated particular industries would not be excluded automatically from the rule. Rather, they would be judged on whether their business activities are in line with the definition of "creditor," as defined by Congress. The law narrows the term "creditor" to include only entities that use consumer reports, furnish information to consumer reporting agencies or extend credit. “If an organization is considered a creditor under the Equal Credit Opportunity Act and is engaged in any of the activities identified in the legislation, it is still covered by the rule," according to an FTC spokesman.
Under this law, “creditors” that fall under the Red Flags Rule are only those who regularly and in the ordinary course of business: (1) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to certain consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on the person's obligation to repay the funds or on repayment from specific property pledged by them or on their behalf (this does not include creditors who advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person). Creditors that fall under one of these categories must comply with the Red Flags Rule that went into effect Dec 31, 2010. Creditors that do not fall under one of these categories are not subject to the Red Flags Rule. For a link to the Red Flag Program Clarification Act of 2010...
For more information, FAQs and resources from the FTC on the Red Flags Rule, including a "how to guide" for businesses...
To assist physician practices, the AMA has developed helpful tools and resources to protect your patients from identity theft.
Of course, all physicians are subject to regulations to ensure the safeguarding of patient information. For information on HIPAA and ARRA privacy requirements...