The fate of a bill that would exempt doctors and other providers from complying with the Federal Trade Commission's Red Flags Rule now rests in the hands of President Obama.
The bill, S. 3987, Red Flag Program Clarification Act of 2010, sponsored by Senators John Thune (R-SD) and Mark Begich (R-AK), was introduced in the Senate on Nov. 30 and unanimously passed on the same day. The bill was then passed by the Senate on Dec. 7 by voice vote. The rule is currently scheduled to go into effect on Dec. 31.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
Bill S. 3987 clarifies that small businesses like doctor's offices are not classified as creditors because they do not offer or maintain accounts that pose a risk of identity theft.
"New legislation passed by Congress sheds some much needed light on who is considered a creditor under the red flags rule," said Cecil B. Wilson, MD, president, American Medical Association. "Currently, the Federal Trade Commission has broadly defined creditors to include physicians and other professionals like dentists and lawyers under the red flags rule. The AMA is pleased that this legislation supports AMA's long-standing argument to the FTC that physicians are not creditors. This bill will help eliminate the current confusion about the rule's application to physicians.
"The AMA has worked closely with FTC officials and Congress and is engaged in a lawsuit with other physician groups to get the FTC to permanently remove physicians from the scope of the red flags rule. AMA's efforts have made a difference for physicians, with five delays of the red flags rule implementation date already. We hope that the FTC will now withdraw its assertion that the red flags rule applies to physicians," Wilson said.
FTC Chairman Jon Leibowitz commented on Congress' approval of the bill. "We're pleased Congress clarified its law, which was clearly overbroad," he said. "Now, we can go forward with less litigating and more protecting consumers from identity theft. I want to express my appreciation to Congressmen John Adler and Mike Simpson, and Senators John Thune and Mark Begich, for their excellent work in resolving the uncertainty created by Congress."
In the statement, the FTC said the rule doesn't require any specific practice or procedures. It gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program – for example, simply having a plan for how they'll respond if they find out there has been an incident of identity theft involving their business.