|
As many HME providers are aware, on May 28 the Federal Trade Commission announced it would delay enforcement of the Red Flags Rule from June 1 to Dec. 31, 2010.
The commission cited congressional consideration of legislation that would affect the scope of entities covered by the rule to require businesses to take specific steps to minimize identity theft.
As an example, S. 3416, introduced on May 25 in the Senate, would exempt “health care practices and professionals” with 20 or fewer employees, as well as accounting and legal practices of similar size. Covered health care professionals under the bill include “physicians, dentists, podiatrists, chiropractors, physical therapists, occupational therapists, marriage or family therapists, optometrists, speech therapists, language therapists, hearing therapists and veterinarians”. Note: DMEPOS (e.g. HME, DME, O&P) facilities and home health agencies do NOT appear to be exempt (!)
The commission in its announcement urged Congress to quickly act "to pass legislation that will resolve any questions as to which entities are covered by the rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date."
According to an FTC statement, the end of the year will give time "while Congress considers legislation that would affect the scope of entities covered by the Rule. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original Nov. 1, 2008 deadline for institutions subject to their oversight to be in compliance."
In the statement, FTC Chairman Jon Leibowitz said, "Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule—and to fix this problem quickly." He added, "As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
This constitutes the fourth time that the FTC has delayed enforcement of the Rule, which was originally scheduled for enforcement on November 1, 2008.
In a separate development, on May 21, 2010, the American Medical Association (AMA) and two other physician associations filed a lawsuit challenging the application of the Rule to physicians. The lawsuit asserts that the FTC exceeded its authority by including physicians in the Rule. In a statement issued when the lawsuit was filed, the groups state that, “[t]his unjustified federal regulation of medicine treats physician practices like banks, credit card companies and mortgage lenders.” Previously, in a lawsuit brought by the American Bar Association, a federal court ruled on November 29, 2009 that the Rule does not apply to attorneys.
By way of background, the Rule was enacted under the Fair and Accurate Credit Transactions Act of 2003, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The Rule requires that all entities meeting these definitions develop and implement identity-theft prevention programs. The FTC issued guidance indicating that any health care provider that does not obtain full payment for its services at the time of service is a “creditor” within the meaning of the Rule. The AMA and other health care trade associations have objected to that interpretation, and members of Congress have been sympathetic to those objections.
The May 28 Press release follows below.
VGM will continue to monitor the legislation and provide guidance and compliance tools. If you have questions or concerns, please contact Mark Higley at mark.higley@vgm.com or call 800.642.6065.
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule
At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.
"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule - and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift," FTC Chairman Jon Leibowitz said. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft.
The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.
The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form ( www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm). The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.
As was the case previously, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2).
For questions regarding this Enforcement Policy, please contact Naomi Lefkovitz or Pavneet Singh, Bureau of Consumer Protection, 202-326-2252.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's Web site provides free information on a variety of consumer topics.
MEDIA CONTACT:
Office of Public Affairs
202-326-2180
Back to Archived Articles
|
