HOMEEyeSpaceMDABOUTFOUNDATIONMEMBERSHIPMEETINGSEDUCATIONGOVERNMENT RELATIONS
 
Reset my Password  
Become A Member!
“Red Flags Rule”: Guidance Documents Now Available for ASCRS and ASOA Members

TO: All ASCRS/ASOA Members                                        

Compliance Date: May 1, 2009                                 

“Red Flags Rule”: Guidance Documents Now Available for ASCRS/ASOA Members

In summer of 2008, several ASCRS/ASOA members expressed concern over a Federal Trade Commission (FTC) final rule that appeared to require physician practices to develop and implement written identity theft prevention and detection programs by November 1, 2008.  The ruling, known as the “Red Flags Rule,” was released in November 2007 and stems from the Fair and Accurate Credit Transactions (FACT) Act of 2003. It requires financial institutions and creditors to develop and implement written identity-theft-prevention programs for the identification, detection, and response to patterns, practices, or specific activities—known as red flags—that could indicate identity theft. 

ASCRS immediately contacted FTC staff for clarification about the application of this ruling. FTC staff explained that physicians are considered creditors and, therefore, subject to the rules. 

Due to our concerns about the Red Flags Rule and its impact on our members, ASCRS notified and sought assistance from the American Medical Association (AMA). AMA later responded formally to the FTC rules on behalf of the medical community.

As a result of the medical community’s response, the FTC announced that it would delay enforcement of the “Red Flags Rule” until May 1, 2009, to give creditors, including physician practices, additional time to develop and implement written identity-theft prevention programs. As explained in a press release, FTC staff recognized that some industries within the Commission’s jurisdiction, including healthcare providers, were uncertain about their coverage under the red flags rule, and for this reason, the Commission delayed enforcement.

While the delay was much appreciated, the medical community continues to be concerned that physicians are subject to the Red Flag Rules.  The crux of the issue is whether or not physicians are “creditors.” According to the final rule, a creditor is "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” 

During a face-to-face meeting with FTC staff hosted by the AMA, Commission staff explained that Congress, when drafting FACTA, adopted the definition of creditor from the Equal Credit Opportunity Act (ECOA). ECOA defines a creditor as anyone who defers payment for goods or services. The Federal Reserve is responsible for enforcing compliance with ECOA.

ASCRS, the AMA, and others have taken the position that most physicians are not "creditors" and, thus, should not be subject to the Red Flag Rules. The medical community continues to believe that, among its many cogent arguments, that physicians should not be considered creditors simply because they accept insurance and hold the patient responsible for any unpaid amount, as the patient’s indebtedness to the physician is not fixed or certain, and there is no extension of credit while the claim is being processed by the insurance company.

Recently, the AMA urged the Commission to issue a new ruling that would explicitly identify physician practices as being subject to the Red Flags Rule and allow the medical community a full opportunity to formally respond to the regulation through the public comment process. There has been no official response from the FTC to this request as of press time.

In the interim, and because of the immediacy of the May 1, 2009 implementation date, the AMA has prepared a guidance document, along with sample policies, so that physician practices can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies. 

Red Flags Rule Guidance Document
This informative resource addresses the following questions:

·         What is the purpose of the Red Flags Rule?

·         How do the rules differ from HIPAA Privacy and Security Rules?

·         Who has to comply with the Red Flags Rule?

·         What is a “Red Flag”?

·         How can physician practices comply with the Red Flags Rules?

AMA Identity Theft Prevention and Detection and Red Flags Rule Compliance
This resource includes simple, customizable policies and procedures to incorporate into your practice in order to comply with the requirements of the Red Flags Rule that entities have reasonable policies and procedures in place to identify, detect, and respond to Red Flags.  Also included in this policy is the FTC's Identity Theft Affidavit, which can be used by patients who may be victims of identity theft.

*****

ASCRS, the AMA, and the entire medical community continue to address this issue and will notify you of our progress.  Should you have any questions, please contact the ASCRS Government Relations Department at 703-591-2220.

 

©2009 ASCRS · 4000 Legato Rd., Ste. 700 · Fairfax, VA 22033 | Phone: (703) 591-2220