Docs seek to block 'red flags' rules

Arguing that it places physician practices under the same regulations as banks, credit card companies and mortgage lenders, a lawsuit was filed in federal court in Washington seeking to block the Federal Trade Commission from imposing on doctors its “red flags” rule which deals with preventing, detecting and mitigating identity theft.

The suit, filed by the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia, states that the rule requires “financial institutions” to implement a written identity-theft prevention and detection plan and notes that the FTC had announced that the physicians had until June 1 to comply.

“In applying the Red Flags Rule to physicians who do not require payment in full at the time of providing care to patients, the FTC is exceeding its statutory authority and acting arbitrarily and capriciously,” according to the suit. It also cites a Nov. 29, 2009 decision where the American Bar Association filed a similar suit against the FTC and the district court held that lawyers and law firms were not necessarily “creditors” when they grant clients the right to defer payment and so were not subject to the rule. (That case is currently under appeal.)

The suit further states that, “by failing to articulate a rational connection between the practice of medicine and identity theft,” the FTC has acted arbitrarily and capriciously, and also failed to give physicians reasonable notice and the opportunity to comment on the rules as they were being formulated and interpreted.

“The final red flags rule provided no indication from the FTC that physicians fell within the definition of ‘creditor,'” said Larry Wickless, AOA president, in a news release. “The FTC's decision to apply the rule to physicians is both misguided and inconsistent with its regulatory power.”

The release also noted that the lawsuit does not suspend the June 1 deadline.

The lawsuit notes that “red flag” is defined as “a pattern, practice, or specific activity that indicates the possible existence of identity theft,” and the written plan the FTC calls for would include steps to prevent, detect and mitigate identity theft and update it periodically while training staff to implement the plan.