The Federal Trade Commission announced today that it will delay enforcement of its “red flags” rule through Dec. 31 while Congress considers legislation that would exempt physician, attorney and accounting offices with fewer than 20 employees from having to comply. The regulation calls for banks and creditors to have written plans in place to prevent, identify and mitigate identity theft.
The FTC had set a deadline of June 1 for compliance.
The FTC had classified healthcare practices as creditors because patients normally do not pay in full for healthcare services at the time they are delivered. The American Medical Association, American Osteopathic Association and Medical Society of the District of Columbia filed a lawsuit last week seeking to block physician practices from being classified as creditors.
“In applying the 'red flags' rule to physicians who do not require payment in full at the time of providing care to patients, the FTC is exceeding its statutory authority and acting arbitrarily and capriciously,” the lawsuit stated. It cited a 2009 Washington district-court decision on a suit filed by the American Bar Association that lawyers and law firms are not necessarily creditors when they grant clients the right to defer payment and so are not subject to the rule. (That case is currently under appeal.)
“Congress needs to fix the unintended consequences of the legislation establishing the red flags rule—and to fix this problem quickly,” said Jon Leibowitz, FTC chairman, in a news release. “As an agency we're charged with enforcing the law, and endless extensions delay enforcement.”
The “red flags” rule became law Jan. 1, 2008, and the original deadline for full compliance was Nov. 1, 2008. The deadline subsequently was pushed back to June 1, 2010. The FTC said that if Congress passes legislation limiting the scope of the “red flags” rule with an effective date earlier than Dec. 31, the agency will begin enforcement as of that date.