The Federal Trade Commission delayed enforcement of the Red Flags Rule for a fifth time, this time extending the date seven months.
Enforcement was scheduled for June 1, 2010. It is now changed to December 31, 2010.
The FTC says on its Web site the delay comes at the request of Congress as it "considers legislation that would affect the scope of entities covered by the rule."
Healthcare entities defined as "creditors" by the FTC must still comply with the rule by implementing a program to prevent and detect cases of identity theft. Compliance date was November 1, 2008.
"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule–and to fix this problem quickly," FTC Chairman Jon Leibowitz said on the FTC Web site. "We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
The Senate filed a bill Tuesday, May 25, an awfully similar bill from the House's in October that essentially exempts providers with fewer than 20 employees from complying with the FTC's Red Flags Rule. The House bill passed 400-0.
The FTC says it will make enforcement effective earlier than December 31, 2010, provided Congress passes legislation before that date.
Medical and osteopathic associations Friday, May 21, sued the FTC for covering them under the Red Flags Rule, which requires them to start verifying their patients' true identities before they agree to treat them.
The lawsuit seeks to prevent the FTC from defining physicians as "creditors" whenever they do not require payment in full at the time they provide care, and later bill them, according to the brief filed by the American Medical Association and the American Osteopathic Association and the Medical Society of the District of Columbia, the District Court where the case was filed.
"We do already have a number of rules and regulations to follow to protect patient privacy and information security, and these have recently been strengthened with ARRA and HITECH," says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, Maine. "Requiring healthcare providers to follow the Red Flags Rule is just another regulatory hoop for us to jump through."
Simons, who will speak on HCPro, Inc.'s June 9 audio conference, "Prevent Medical Identity Theft and Comply with FTC Requirements Now," says there is never enough training and monitoring regarding best security and privacy practices.
However, she says, "I don't think this adds significantly to what we already do."
Bonnie McLaughlin, a development analyst for Medical Information Technology, Inc. in Westwood, MA, says she is "horrified" by the attempt to exempt physician practices from the Red Flags Rule.
"It is just as possible that someone can use my identity/insurance/financial information when presenting at a physician's office as it would be in a larger healthcare setting," McLaughlin says.
McLaughlin says devising a Red Flags Rule policy "can be relatively simple."
"If these providers would simply read through the ruling and understand exactly what is involved in meeting this requirement, they would have already been able to meet the criteria in the amount of time they have taken resisting being held accountable," she says.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.