The Federal Trade Commission (FTC) is slated begin enforcement of its Identity Theft Red Flags Rule on August 1, 2009. The Rule requires creditors and financial institutions to adopt identity theft prevention programs. The FTC has repeatedly stated that health care professionals are subject to the Rule.

In a letter from the FTC to the American Medical Association, the FTC confirmed that the "plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services," adding that the burden on health care professionals need not be substantial. The FTC is also concerned with medical identity theft, where a patient uses the name or insurance information of another person. Medical identity theft can result in false billing and potentially life-threatening corruption of a patient's medical records.

According to the FTC, after implementation of the Fair and Accurate Credit Transactions Act of 1993, various federal agencies were obligated to jointly develop rules and guidelines for "financial institutions" and "creditors," which are known as "covered entities." In turn, covered entities need to run a risk assessment on their business to determine if they have "covered accounts"--that is, consumer accounts or accounts that are at risk to identity theft. If an entity has such an account, it must develop and implement an Identity Theft Program to identify, detect, and respond to possible risks of identity theft relevant to the accounts. Any such program must detail the intended response once a "red flag" has been detected. This includes refraining from billing a consumer, reporting the incident to a law enforcement agency, and ensuring the information relating to the thief is not co-mingled with that of the victim. The program must also have provisions to keep current.

Although the AMA has continued to protest health care professionals being included in as covered entities, the FTC's response is that professionals who regularly bill their clients, customers, or patients for services after those services are rendered are creditors under the Equal Credit Opportunity Act (ECOA).

John C. Parmigiani, president of John C. Parmigiani and Associates, which offers compliance consulting, spoke to DOTmed regarding the August 1 enforcement date. "Originally scheduled for November 1, 2008, then postponed until May 1, 2009, this latest compliance enforcement date, I believe, resulted from the FTC's seeing that additional time was needed, especially in light of the ARRA signing and, in the case of health care, the emergence of the HITECH* provisions. I believe it is also indicative of the new administration's approach to new regulatory compliance requirements--to ensure a complete understanding and a corresponding developmental activity [that will] be fully ready when the date for compliance enforcement becomes due. The health care industry should be ready by August 1, given some progress that was made toward the May 1 date and the complementary emphasis of HITECH. Furthermore, the FTC has stated, and I believe, that the August 1 date is firm and will not be delayed again."

More Industry Headlines