FTC Responds To AMA's Challenge To The Identity Theft Red Flags Rule's Applicability To Physicians

On Feb. 4th, the Federal Trade Commission rejected a health care providers' challenge to the Identity Theft Red Flags rule, which requires certain businesses to craft and implement customer identity theft prevention policies. The FTC's ruling, which had been challenged by the American Medical Association, means that health care providers must comply with the Red Flags Rule even though they already must meet existing privacy and security obligations under the Health Insurance Portability and Accountability Act (HIPAA).

In brief, the Red Flags Rule requires each "financial institution" and "creditor" that has one or more "covered accounts" to develop and implement a written identity theft prevention program. Such a program must be designed to detect, prevent and mitigate identity theft in connection with the opening of new "covered accounts" or activity relating to existing "covered accounts."

The FTC's response rejects the AMA's multiple arguments that physicians are not "creditors." In its ruling, the FTC states that physicians and other health care providers are "creditors" under the Red Flags Rule, even if they do not consider themselves such, if the provider performs a service and then defers the patient's payment for the services to a future point in time.

The identity theft prevention program required under the Red Flags Rule is not designed to be one-size-fits-all. Instead the FTC stresses the flexibility of such programs and their need to be tailored to the degree of identity theft risk faced by a provider, which for many providers could be "minimal or non-existent."

A low risk of identity theft does not mean that no Program is needed, but does allow a provider to use a "simple and streamlined program" to fulfill any obligations under the Red Flags Rule. Unfortunately, at present, the FTC has not offered any bright-line test for who is high-risk or low-risk under the Rule.

Nevertheless, throughout the response, the FTC speaks of collaboration, working together, and helping the AMA and providers become compliant so as to minimize the Red Flags Rule's potential burden on health care providers. Perhaps, this spirit of collaboration will result in sample programs or other guidance being made available to AMA members in the coming months.

The FTC's response clarifies that the Red Flags Rule complements HIPAA's regulations protecting patient data, while also focusing on reducing medical identity theft (the misuse of a patient's name or insurance information to obtain services) beyond electronic data. The response confirms the six-month forbearance period for the Rule's enforcement, which ends May 1, 2009.

With this in mind, physicians and other health care providers should develop or review their procedures for handling covered accounts through an appropriate new or existing identity theft prevention program for their businesses based on their identity theft risks. Call us if you need assistance in developing a program or assessing your identity theft risks before enforcement begins in May!

The Firm's Privacy Team regularly works with the Health Care Practice Group to provide in-depth counseling and compliance planning on the Red Flags Rule and related information security and privacy matters. An earlier Firm Alert on compliance with the Red Flag Rules may be found here.

This Client Alert is a publication of the Health Care Practice Group at Womble Carlyle Sandridge & Rice, PLLC. Readers are urged to consult with their regular contacts at the firm or

Tom Stukes at 336-574-8065

Tony Brett at 336-721-3620

Dick Vincent at 404-879-2422

Kim Licata at 919-484-2313.