Implementation of the Red Flag Rules has been postponed again—until June 1, 2010—as legislation continues snaking through Congress that would allow the Federal Trade Commission (FTC) to exempt healthcare and legal practices of 20 or fewer employees from the rule mandated by the 2003 Fair and Accurate Credit Transactions Act.

 

This legislation, however, opens the door to showing how the FTC's broad interpretation of the act originally intended for doctors, lawyers and accountants to be classified as creditors, and provides little more than a small business exception for those professionals.

 

Adding a twist to the debate, the U.S. District Court for the District of Columbia granted on Oct. 29 the American Bar Association's (ABA) request for summary judgment in a case challenging the FTC's application of the 2003 Fair and Accurate Credit Transactions Act to lawyers. The decision, handed down just days before the Red Flag Rules were scheduled to go into effect, prohibits the FTC from imposing new identity theft regulations on lawyers, who would have been forced to verify the identities of potential clients.

 

ABA president Carolyn B. Lamm called the ruling "an important victory for American lawyers and the clients we serve."

 

Represented by a Proskauer Rose team led by partner Steven Krane, the ABA argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered by the rule. The FTC contended that attorneys should be considered creditors because many of their billing practices, such as charging clients on a monthly basis rather than up front, classified them as such.

 

Judge Reggie Walton said he had trouble accepting the FTC's definition of a creditor because their interpretation would also apply to other professionals such as plumbers, who charge customers after-the-fact for work spanning several days.

 

"I have a real problem with concluding that Congress intended to regulate lawyers when these statutes were enacted," Walton said.

 

Michael Lowe, an Orlando-based, board-certified healthcare attorney, said he doesn't believe the Red Flag Rules were intended to apply to professionals such as doctors and lawyers because healthcare professionals must be compliant with the HIPAA Privacy and Security Regulations, and many healthcare attorneys are already business associates of their physician clients, and therefore, are also governed by HIPAA.

 

"Healthcare professionals or doctor/physician group practices that are compliant with HIPAA, chances are they're 85 to 90 percent compliant with the Red Flag requirements," he explained.

 

The Red Flag Rules are intended to combat and prevent identify theft, said Lowe. "The three primary things necessary for an identity thief to steal someone's identity are name, social security number, and date of birth," he said. "All three of those things are routinely kept in a healthcare provider's records for a patient, and all three of them are considered to be categories of protected health information under HIPAA. So if a doctor/group practice is already taking the steps needed to become HIPAA compliant, then they're there in most cases and don't need to reinvent the wheel to get compliant."

 

Additionally, the Red Flag Rules are designed to govern creditors—those individuals and entities that extend credit on a regular basis as part of their business operations, such as banks, financial companies, lenders, mortgage companies, and credit care companies. 

 

"Doctors and lawyers rarely extend credit," said Lowe. "It's not what we do as part of our core business practices. That's what the ABA and AMA have been arguing to the FTC. Simply stated, we shouldn't be covered by the Red Flag Rules because we're not creditors. Moreover, most health professionals are already governed by HIPAA and state medical record confidentiality laws, which require them to protect the privacy and security of their patients' info. Thus, they're already doing much of what the Red Flag Rules require."