Lawsuit wants to block docs from 'red flags' rule

Arguing that it lumps physician practices in the same category as banks, credit card companies and mortgage lenders, a lawsuit was filed in federal court in Washington seeking to block the Federal Trade Commission from imposing on doctors its “red flags” rule, which deals with preventing, detecting and mitigating identity theft.

The lawsuit, filed by the American Medical Association, the American Osteopathic Association and the Medical Society of the District of Columbia, states that the rule requires financial institutions to implement a written identity-theft prevention and detection plan and notes that the FTC had announced that affected physicians had until June 1 to comply.

“In applying the 'red flags' rule to physicians who do not require payment in full at the time of providing care to patients, the FTC is exceeding its statutory authority and acting arbitrarily and capriciously,” the lawsuit states. It cites a 2009 Washington district-court decision on a suit filed by the American Bar Association that lawyers and law firms are not necessarily creditors when they grant clients the right to defer payment and so are not subject to the rule. (That case is currently under appeal.)

For Les Spry, a Lincoln, Neb.-based nephrologist, compliance with the rule required consulting with an attorney to combine the elements of the AMA's “boilerplate” identity-theft plan with the existing policy that his seven-physician, 11-employee practice instituted under the Health Insurance Portability and Accountability Act of 1996. He said his primary objection is having a nonhealthcare-related bureaucracy dictating his practice's operations.

“We came up with a written policy that says, ‘Yes, we won't release financial information to people who don't deserve it,' but this is just another unfunded mandate where we're asked to do more while they're cutting our reimbursement,” said Spry, the immediate past president of the Nebraska Medical Association. “I'm not sure what the Federal Trade Commission has to do with healthcare. We already have the CMS, so this just adds another layer of bureaucracy and another group of people prying over my shoulder and my patients' shoulders.”

A representative from the FTC could not be reached for comment by deadline.

The AMA suit further states that the FTC has failed to articulate “a rational connection between the practice of medicine and identity theft” and hasn't given physicians reasonable notice and the opportunity to comment on the rules being formulated.

“The final ‘red flags' rule provided no indication from the FTC that physicians fell within the definition of ‘creditor,' ” said AOA President Larry Wickless in a news release. “The FTC's decision to apply the rule to physicians is both misguided and inconsistent with its regulatory power.”

Spry agreed.

“To call us a bank seems to me the height of idiocy,” Spry said, adding that his patients rarely pay up front and, when they do, it's never certain how much of his practice's service will be covered by insurance. When patients do pay at the time of service, they usually wind up getting a partial refund.

While acknowledging that the connected legal fees for developing a written “red flags” rule policy only cost him “maybe $100,” Spry said there was an additional investment of time in educating his employees about the written policy and then generating the paperwork to document to the government that his employees received that training.

“I'm actually objecting to the thought that we're a bank,” Spry said. “I just hope that people understand that medical practices are small businesses, and the more demands you put on a small business, the more difficult it becomes to stay afloat.”

The lawsuit notes that “red flag” is defined as “a pattern, practice or specific activity that indicates the possible existence of identity theft,” and the written plan for which the FTC calls would include steps to prevent, detect and mitigate identity theft.

The news release also noted that the lawsuit does not suspend the June 1 deadline.

The "red flags" rule became law on Jan. 1, 2008, and full compliance originally was required by Nov. 1, 2008. That deadline was pushed back until Nov. 1, 2009, and then again to June 1, 2010, after the House overwhelmingly passed H.R. 3763, which exempted "any healthcare practice, accounting practice, or legal practice with 20 or fewer employees from the meaning of creditor subject to red flag guidelines regarding identity theft."

The measure went to the Senate on Oct. 21, 2009, and was referred to the Senate Banking Committee. The Senate hasn't acted on the bill.