Physicians Sue to Block Red Flags Rule

AMA, others argue rule is unnecessary in healthcare
Physicians Sue to Block Red Flags Rule
The American Medical Association and two other physician groups have filed a lawsuit seeking to prevent the Federal Trade Commission from applying the Identity Theft Red Flags Rule to doctors.

Enforcement of the rule in healthcare is slated to begin June 1 after repeated delays. And the AMA stressed in a release that its legal action "does not suspend the looming deadline."

In arguing against the rule, the groups argue that it's unnecessary, given other regulations already on the books.

"Physicians are already ethically and legally responsible for ensuring the confidentiality and security of patient's medical information," says Peter Lavine, M.D., alluding to the HIPAA privacy and security rules. "It is unnecessary to add to the existing web of federal security regulations physicians must follow," adds Lavine, president of the Medical Society of the District of Columbia, which joined in the federal lawsuit.

Identity theft protection
Under the Red Flags Rule, which dates back to 2007, any organization that extends credit to its clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.

The FTC already is enforcing the rule for many financial services companies under its watch, including some credit unions. But it has repeatedly delayed enforcement in healthcare in reaction to protests and concerns.

The associations contend that applying the rule to physicians is "arbitrary, capricious and contrary to the law."

"This unjustified federal regulation of medicine treats physician practices like banks, credit card companies and mortgage lenders," says AMA President-Elect Cecil Watson, M.D. "The extensive bureaucratic burden of complying with the Red Flags Rule outweighs any benefit to the public."

Larry Wickless, D.O., president of the American Osteopathic Association, which also joined in the suit, adds: "The final Red Flags Rule provided no indication from the FTC that physicians fell within the definition of a creditor."

Earlier petition failed
Earlier this year, the AMA and other physician groups petitioned the FTC to exclude physicians from the rule. The FTC responded on March 25 saying it could not accommodate the request, according to the AMA.

In that petition, the physician groups noted a recent federal court ruling exempting attorneys from the rule.

A different perspective
Despite the protests over the rule, some security experts argue that it makes good business sense to comply.

For example, Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash., says that complaining about the Red Flags rule is a waste of time "because healthcare organizations should already have the policies and practices in place to address the issue of financial identity theft."

He notes that many states already have regulations in place that are very similar to the Red Flags Rule. "And having a program in place to detect ID theft should be routine for any size organization," he argues.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.