Get Ready for TSA-Like ID Checks in Doctor’s Offices!
The Red Flags Rule is an anti-fraud regulation, requiring â€œcreditorsâ€ and â€œfinancial institutionsâ€ with covered accounts to implement programs to identify, detect, and respond to the warning signs, or â€œred flags,â€ that could indicate identity theft.Â Doctors have been included in the creditor definition.
Â FTC continues to assert that physicians’ practices are entities covered under the rule. For additional information, see aÂ sample policy.Â
What the Red Flags Rule Means to Physicians
Enforcement of the Red Flags Rule has been delayed again by the Federal Trade Commission (FTC) until June 1, 2010.Â This marks the fourth time since November 2008 that the FTC has delayed enforcement of the Red Flags Rule.Â Â Prior to the FTCâ€™s most recent delay, the Red Flags Rule was scheduled for enforcement beginning November 1, 2009.Â
Why This is Being Done:Â This is not just in response to identity theft.Â Apparently in some areas people are “sharing” (ie giving) their insurance cards to others to get them covered for services they don’t have insurance for or medications.Â Under this plan your doctorÂ will be reponsible for checking multiple forms of photo ID’s and putting you through airport security to enter the office.Â Â
The Red Flags Rule was promulgated as the result of a law enacted by Congress (the â€œFair and Accurate Credit Transactions Actâ€) in which Congress directed the FTC to develop regulations requiring â€œcreditorsâ€ and â€œfinancial institutionsâ€ to address the risk of identity theft.Â As a result, the FTC promulgated the rule to require all covered entities to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activitiesâ€”known as â€œred flagsâ€- that could identity theft.Â The FTC interprets the term â€œcreditorâ€ very broadly, so that any medical practice that does not require full payment at time of service would be considered a â€œcreditorâ€ and subject to the terms of the rule.Â
I am really good at taking care of my patients–but I don’t have TSA in my office checking photo ID’s.Â The ASRM has joined with the American Medical Association and other medical societies to urge FTC and Congress that physicians are not “creditors” and should not be subject to the rule.Â We are pleased that the FTC has granted another delay.Â
The FTCâ€™s Red Flags Web site, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.
WhileÂ many covered entities have already developed and implemented appropriate, risk-based programs, some â€“ particularly small businesses and entities with a low risk of identity theft â€“ remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics . The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customersâ€™ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
More information on FTCâ€™s decision is available atÂ http://www2.ftc.gov/opa/2009/10/redflags.shtm.