Miami, FL, October 29, 2009 --(PR.com
)-- The Federal Trade Commission (“FTC” or “Commission”) is set to begin enforcement of the highly anticipated Red Flags Rule (“Rule”) on November 1, 2009. The Rule, developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, will require “creditor[s]” to create and implement a written Identity Theft Prevention Program. Although the Red Flags Rule went into effect on January 1, 2008, enforcement has been suspended numerous times, to provide covered entities additional time to develop and implement written Identity Theft Prevention Programs.
On October 20, 2009 the U.S. House of Representatives passed H.R. 3763, a bill that exempts a healthcare practice, among others, with 20 or fewer employees from the requirements of the FTC’s Red Flags Rule. The bill has now passed to the Senate.
Although many in the health care industry are heralding the passage of this bill as the first victory in a long battle to exclude physicians from the definition of “creditor” under the Rule, careful thought must be given to the possible “side effects” of such legislation.
One fact often overlooked in the identity theft debate is that although the FTC has been unwavering in its refusal to exempt the health care industry from the Rule, the Commission has recognized that in medical practices where the staff is familiar with everyone who walks through its doors, there is little risk of identity theft. Thus, the FTC has reasoned that for small medical practices the “risk of identity theft may be so low that, as a matter of prosecutorial discretion, Commission staff would be unlikely to recommend bringing a law enforcement action.” However, if H.R. 3763 is passed by the Senate this may no longer be the case.
For one, this bill creates an exemption to the Rule that is based on “practice size,” rather than one that is “industry-based.” As such, the bill reaffirms the FTC’s position that physicians fall under the definition of a “creditor” and are subject to the Red Flags Rule - an interpretation highly contended by the American Medical Association (“AMA”).
H.R. 3763 may also have the additional unwanted effect of redirecting criminal activity away from the larger organizations, like hospitals and toward the smaller and more vulnerable healthcare practices, like that of the primary care physician. By isolating small healthcare practices, this pending law will not only expose them to increased criminality but will also make small medical practices the subject of tougher regulation in the future, and more costly compliance.
The debate over the Red Flags Rule is not over. Members of the health care industry should expect more legislation and proposed changes over the upcoming months. Nevertheless, one thing is for certain: November 1, 2009 is quickly approaching. And, as of yet, medical practices – of all sizes – must come into compliance by this date.
If you have any questions or concerns as to whether the Red Flags Rule apply to your practice, please feel free to contact Ann Marie Gaitan, Esq., via e-mail at firstname.lastname@example.org or at 305.329.1467. Mrs. Gaitan is a partner at Gaitan Morales, PPLC, specializing in healthcare and FTC related matters.
 H.R. 3763, as passed, excludes from the term “creditor” a health care practice, an accounting practice and a legal practice “with 20 or fewer employees.” The bill also creates an avenue for “any other business” to submit an application to be excluded from the meaning of “creditor” under the rule, at the FTC’s discretion. The full text of the bill is available at http://www.govtrack.us/congress/billtext.xpd?bill=h111-3763.
 See The Red Flags Rule: Frequently Asked Questions, at question E-3, available at http://ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm#E.
 The AMA has issued a practice management guide for physician which can be viewed at http://www.ama-assn.org/ama1/pub/upload/mm/368/red-flags-rule-edu.pdf.