Small and independent physicians' practices won't have to implement federally mandated identity theft protection measures for their patients' information until the end of the year, at the earliest.
The decision by federal regulators in May to delay implementation of a requirement that physicians' practices develop policies and procedures to safeguard their patients' identity-related information came as several physician groups filed a legal challenge to the requirement and as Congress was considering a targeted exemption from it for physicians.
Known as the “red-flags rule” because it aims to limit “possible risks to account holders or customers or to the safety and soundness of the institution or customers,” the Federal Trade Commission (FTC) regulation requires businesses offering credit to develop and regularly update a written policy for finding, preventing, and resolving identity theft.
But physicians' advocates have argued that physicians are not creditors like banks and lenders, which the regulation is intended to target, and that the rule should not apply to them.
The AMA “is pleased that [the FTC] has announced today they are delaying the compliance deadline for the red-flags rule until the end of this year,” said Cecil Wilson, M.D., then AMA president-elect, in a written statement. “We call on the FTC to exempt physicians from the rule completely.”
Regulators have delayed the application of the controversial regulations to physicians several times already, including scrapping the most recent compliance deadline of June 1.
The FTC said in a May 28 statement that the latest delay came at the request of several members of Congress, who are pushing legislation to exempt small businesses, including medical practices, with 20 or fewer employees from the requirements.
The exemption legislation (HR 3763), sponsored by Rep. John Adler (D-N.J.), would exclude medical practitioners and others from the rule. That bill passed the House with no dissenting votes in October 2009 and was referred to the Senate, where it has yet to advance.
Since then, the AMA and two other physician groups—the American Osteopathic Association and the Medical Society of the District of Columbia—joined forces to file suit in May to block the application of the regulation to physicians. The American Bar Association won an exemption for attorneys after it filed a similar suit last year.
The AMA suit challenges the FTC's interpretation of the 2003 law (PL 108-159) that created the red-flags rule—an interpretation that categorizes physicians as “creditors” because they usually don't receive full payment at the time they provide care. The AMA argues that the realities of an insurance-based health care system are among the reasons physicians do not demand payment in full at the time of treatment.
“In many cases, a physician is not entitled to bill patients immediately upon providing services under contracts with health insurance carriers,” stated the AMA lawsuit.
Physician groups opposing the regulations also note that the 1996 federal health privacy law commonly referred to as HIPAA and other regulations already safeguard patient data.
“Pursuant to this statutory [HIPAA] mandate, [the Department of Health and Human Services] has promulgated regulations creating a web of physical, administrative, and technical security requirements that physicians and other health care providers must follow to safeguard the security and integrity of their patient records,” stated the lawsuit.
The FTC also acknowledges in its online guidance for physicians on the regulations that there is a lower risk of identity theft at small physician practices, where many patients may be known to the staff. In such situations the FTC is unlikely to bring enforcement lawsuits, according to the commission's Web site. However, both the FTC and state enforcement agencies would retain authority under the regulations to bring lawsuits against solo practitioners and small practices.
Supporters of the FTC effort to include physicians in the identity-theft requirements, such as the American Health Information Management Association, maintain, however, that Medicare, Medicaid, and insurance fraud often are facilitated by the theft of patients' identities from physician records. And the red-flags rule could be a key factor in reducing fraud and abuse in the health care system.