Red Flags: No Delay for Credit Unions

Latest FTC Extension Applies Only to Physicians
Red Flags: No Delay for Credit Unions
A new agreement to delay ID Theft Red Flags Rule enforcement for physicians does not impact the current date for state-chartered credit unions.

The Federal Trade Commission (FTC) on June 25 signed a court-approved agreement to hold off on enforcing the Red Flags Rule for physicians until at least 90 days after an appellate court rules on a case involving enforcement of the rule for attorneys.

But according to FTC spokesperson Frank Dorman, this agreement has no bearing on state-chartered credit unions or any other entities, which still face the Dec. 31 enforcement date announced at the end of May.

"In the meantime, other folk, such as the credit unions, will have to wait and see what Congress [does]," Dorman says. The latest delay - the fifth since the Red Flags Rule was enacted in 2008 - was designed to give Congress time to decide whether to enact relevant legislation exempting certain groups. "We hope Congress will tell us who will be covered," Dorman says.

Under the Red Flags Rule, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.

Originally, all affected entities - including automobile dealers, utility companies and healthcare providers -- were to show compliance with the Red Flags Rule by Nov. 1, 2008, the same deadline as that met by banks and other financial institutions, including federal credit unions. But in late October of 2008, the FTC extended the deadline by six months for the roughly 11 million entities it oversees. This move was to give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs. Since then, there has been a series of further delays stemming from questions about what types and sizes of entities should be exempt from the Red Flags rule.

Doctors' Lawsuit

Earlier this year, the AMA and two other physicians groups filed a lawsuit seeking to prevent the FTC from applying the rule to doctors.

In arguing against applying the rule to physicians, the AMA and other associations contended it is unnecessary.

"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patient's medical information," said Peter Lavine, M.D., alluding to the HIPAA privacy and security rules. "It is unnecessary to add to the existing web of federal security regulations physicians must follow," added Lavine, president of the Medical Society of the District of Columbia, which joined in the AMA lawsuit. The Latest Move

In the June 25 "joint stipulation," the FTC agreed that it would not enforce the rule for physicians until 90 days after an opinion is issued by the U.S. Court of Appeals for the District of Columbia Circuit on the American Bar Association's case against the FTC. The lower court ruled in favor of the ABA in its bid to exempt attorneys from the rule, which paved the way for the AMA's suit.

Two U.S. Senators recently introduced legislation to exempt smaller healthcare, accounting and legal practices from the Red Flags Rule.

The Senate bill would exempt practices in the three sectors with 20 or fewer employees. It applies to healthcare professionals, including physicians, dentists, podiatrists, chiropractors, several types of therapists and veterinarians. A very similar bill, H.R. 3763, passed the U.S. House last year on a 400-0 vote.

The June 25 "joint stipulation" document notes that if Congress passes legislation to reinstate FTC enforcement of the Red Flags rule for some or all physicians, that law would take precedence over the court agreement.

Tracy Kitten, Managing Editor, contributed to this report.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.