Reprinted from AMA
Update: The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until December 31, 2010. The AMA will utilize this time to convince the FTC and Congress to republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program.
In Nov. 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. Originally scheduled for a Nov. 1, 2008 compliance date, the FTC has now delayed the enforcement date of the Red Flags Rule until December 31, 2010. The new compliance date of December 31, 2010, which follows four earlier extensions to May 1, August 1, Nov. 1 and then later to June 1, is a result of continued advocacy by the AMA and others who continue to object to the applicability of this Rule to health care providers and other professionals.
Since the Rule was issued, the AMA has objected to the FTC's interpretation that physician practices are "creditors" when they accept insurance and bill patients after services are provided or if they allow patients to set up payment plans after services have been provided. The FTC states that this delay is intended to "give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs."
While the AMA intends to continue to make the case to Congress and the agency that the FTC should republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program, the AMA has prepared a guidance document, along with sample policies, so that members can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies.