FTC Agrees to Temporarily Exempt Physicians from “Red Flags” Rule Enforcement

Physicians facing new challenges under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) following the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) recently received some welcome news regarding Federal Trade Commission (FTC) activity in the privacy sphere.  The FTC has agreed to delay enforcement of the anti-identity theft “Red Flags” Rule against physician members of the American Medical Association (AMA), the American Osteopathic Association and the Medical Society of the District of Columbia.  The delay is memorialized in a June 25, 2010 joint stipulation to the U.S. District Court for the District of Columbia, where the physician groups are pursing a lawsuit against the FTC in which they object to the FTC’s position that physicians are subject to the Red Flags Rule. 

The Red Flags Rule, promulgated by the FTC pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, currently requires “creditors” with “covered accounts” to take steps to help prevent identity theft.  Specifically, entities covered by the Red Flags Rule must develop and implement written programs to identify, detect and respond to warning signs that may indicate identity theft.

In their action, the AMA and the other plaintiffs argue that physicians must already comply with rigorous privacy protection requirements of HIPAA and claim that the Red Flags Rule would interfere with the physician-patient relationship.

Under the joint stipulation, the FTC will suspend enforcement against physicians until the U.S. Court of Appeals for the District of Columbia reaches a decision in a similar suit filed by the American Bar Association (ABA) against the FTC, in which the ABA claims the FTC exceeded its jurisdiction in extending the reach of the Red Flags Rule to include attorneys.  Separately, the FTC also recently delayed general enforcement of the Red Flags Rule until December 31, 2010.  

Contact Information

For more on the Red Flags Rule and its requirements, including an overview of the components of a Red Flags Program and highlights of Red Flags Program administration requirements, see the Akin Gump alerts “FTC Delays Enforcement of Identity Theft Prevention Regulations Through December 31, 2010” and “FTC Set to Begin Enforcing Identity Theft Prevention Regulations on August 1, 2009.” 

If you have any questions regarding this alert, the Red Flags Rule or laws concerning the privacy and security of health information, more generally, please contact—

Jo-Ellyn Sakowitz Klein

Washington, D.C.

Anna R. Dolinsky

Washington, D.C.