RED FLAGS RULE COMPLIANCE DATE C

RED FLAGS RULE COMPLIANCE DATE CHANGED

“Red flags" rule compliance date moved up to August 1, 2009

Physician practices now have until Aug. 1 to comply with the Federal Trade Commission's (FTC) "red flags" rule, which requires physicians to institute policies to identify, detect and respond to potential risks of identity theft. The rule originally was to have taken effect May 1, but the FTC voted April 30 to delay the compliance date for three months. The AMA will use this time to convince the FTC and Congress that physicians are not "creditors" and therefore should not be subject to the rule.

A news release sent out by The Federal Trade Commission stated that the FTC will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

In a statement FTC Chairman Leibowitz noted that “given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

The AMCNO has sent out detailed publications regarding compliance with the Red Flags Rule that was to become effective on May 1, 2009. Physician offices are urged to retain this information and watch the AMCNO email blasts and web site for additional information.

Additional information is also available on the FTC web site at www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and at another link on the FTC site at www.ftc.gov/redflagsrule. The FTC is currently working on a compliance template and the AMCNO will inform our members as soon as that information becomes available on their site.