FTC announced earlier this morning that it is delaying enforcement of the Red Flags Rule to 12/31/10 pending expected legislation by Congress that would affect the scope of entities covered by the Rule. As I wrote in my blog just a few days ago, organizations representing physicians, lawyers and accountants have already contested that the Rule shouldn’t apply to them. I wrote that the previous deadline of 06/01/10 was probably too close for FTC to move it again. I guess it is never too close!
Let us wait and watch for next steps from the Congress now!
Frankly, I have lost count of how many times FTC has moved the deadline already (see my related post from 2009). This time, however, I think the deadline is too close (about a week out at the the time of this blog post) that I think the rule is finally going to take effect. Again, I may be proved wrong… let us wait and see!
Aside from the rule taking effect, enforcement of the rule is going to be interesting to watch! Just this past Thursday, AMA and two other physician groups filed a suit contending that the rule shouldn’t apply to physicians. The rule had already been contested by Lawyers and Accountants.
AMA’s suit comes after several back-and-forth discussions with FTC over the last year or so. It looks like AMA wasn’t obviously convinced that the rule should apply to physicians despite what I thought was this compelling argument by FTC.
AMA’s main contention has been that hospitals and physicians are already subject to HIPAA Security and Privacy Rules and therefore the Red Flags Rule shouldn’t apply to them. From my experience, however, I believe that most HIPAA Security/Privacy Programs may not be effective against Identity Theft tricksters of today. I would recommend that health care providers implement a risk-based, written Identity Theft Prevention Program to supplement the Administrative Requirements (§ 164.530) of the HIPAA Privacy Rule and Administrative Safeguards (§ 164.308) of the HIPAA Security Rule.
I think the below quote from FTC’s letter sums it up well:
“The Rule is designed to prevent identity theft primarily by ensuring that organizations are alert to signs that an identity thief is using someone else’s identifying information fraudulently to obtain products or services, including services such as medical care. Thus, the Red Flags Rule generally complements rather than duplicates the HIPAA data security requirements.”