Doctors Continue Pursuing Red Flags Exemption

The Red Flags Rule is a federal regulation requiring that banks and creditors implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. We like the policy and see it as a tool that can help organizations cut identity theft risk. The implementation of good, streamlined security practices makes good business sense.

Trade groups representing the medical community don’t share that enthusiasm, however.

As InformationWeek reports , the American Medical Association, American Dental Association and American Veterinary Medical Association sent a joint letter to FTC Chair Jon Leibowitz asking for an exemption from the rule. The FTC has interpreted the law, a tenet of the Fair and Accurate Credit Transactions (FACT) Act of 2003, as applying to a range of trade groups that accept deferred payment for services. The FTC has postponed implementation of the rule four times for companies outside the financial sector, while various professions have argued for exemptions. Currently, the law is scheduled to go into effect June 1.

The American Bar Association sued the FTC and won, successfully arguing in U.S. District Court in the District of Columbia that Red Flags should not apply to lawyers. That ruling prompted the healthcare groups to call the rule an “unfunded mandate” for their members. “The court ruling sends a clear signal that the FTC needs to re-evaluate the broad application of the red flags rule,” said AMA President Dr. J. James Rohack in a statement quoted by InformationWeek. “Our four organizations firmly believe that applying the rule to health professionals, but not to lawyers, would be unfair.”

InformationWeek health blogger George Hulme writes that healthcare providers should be doing more to protect patient information, not less, particularly considering the efforts the government is undertaking to prod doctors to switch to electronic medical records for every American by 2014. The new Obama budget includes $78 million for health IT, $17 million more than last year.

“With all of our health records being digitized, and the growth of medical identity theft, it’s not asking that much for the stewards of this data to step up,” Hulme writes.

We agree. Red Flags Rule implementation is a step towards shifting the burden of identity theft protection from the consumer to the businesses that issue credit and render services using sensitive personal information.  This should include the business of healthcare. Protecting against fraud is, after all, a collective effort.