Get Ready for TSA-Like ID Checks in Doctor’s Offices!

The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.  Doctors have been included in the creditor definition.
 FTC continues to assert that physicians’ practices are entities covered under the rule. For additional information, see a sample policy. 
What the Red Flags Rule Means to Physicians
Enforcement of the Red Flags Rule has been delayed again by the Federal Trade Commission (FTC) until June 1, 2010.  This marks the fourth time since November 2008 that the FTC has delayed enforcement of the Red Flags Rule.  Prior to the FTC’s most recent delay, the Red Flags Rule was scheduled for enforcement beginning November 1, 2009. 
Why This is Being Done:  This is not just in response to identity theft.  Apparently in some areas people are “sharing” (ie giving) their insurance cards to others to get them covered for services they don’t have insurance for or medications.  Under this plan your doctor will be reponsible for checking multiple forms of photo ID’s and putting you through airport security to enter the office.   
The Red Flags Rule was promulgated as the result of a law enacted by Congress (the “Fair and Accurate Credit Transactions Act”) in which Congress directed the FTC to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft.  As a result, the FTC promulgated the rule to require all covered entities to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities—known as “red flags”- that could identity theft.  The FTC interprets the term “creditor” very broadly, so that any medical practice that does not require full payment at time of service would be considered a “creditor” and subject to the terms of the rule. 
I am really good at taking care of my patients–but I don’t have TSA in my office checking photo ID’s.  The ASRM has joined with the American Medical Association and other medical societies to urge FTC and Congress that physicians are not “creditors” and should not be subject to the rule. We are pleased that the FTC has granted another delay. 
The FTC’s Red Flags Web site, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.
While many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics . The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
More information on FTC’s decision is available at


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>