Frankly, I have lost count of how many times FTC has moved the deadline already (see my related post from 2009). This time, however, I think the deadline is too close (about a week out at the the time of this blog post) that I think the rule is finally going to take effect. Again, I may be proved wrong… let us wait and see!
Aside from the rule taking effect, enforcement of the rule is going to be interesting to watch! Just this past Thursday, AMA and two other physician groups filed a suit contending that the rule shouldn’t apply to physicians. The rule had already been contested by Lawyers and Accountants.
AMA’s suit comes after several back-and-forth discussions with FTC over the last year or so. It looks like AMA wasn’t obviously convinced that the rule should apply to physicians despite what I thought was this compelling argument by FTC.
AMA’s main contention has been that hospitals and physicians are already subject to HIPAA Security and Privacy Rules and therefore the Red Flags Rule shouldn’t apply to them. From my experience, however, I believe that most HIPAA Security/Privacy Programs may not be effective against Identity Theft tricksters of today. I would recommend that health care providers implement a risk-based, written Identity Theft Prevention Program to supplement the Administrative Requirements (§ 164.530) of the HIPAA Privacy Rule and Administrative Safeguards (§ 164.308) of the HIPAA Security Rule.
I think the below quote from FTC’s letter sums it up well:
“The Rule is designed to prevent identity theft primarily by ensuring that organizations are alert to signs that an identity thief is using someone else’s identifying information fraudulently to obtain products or services, including services such as medical care. Thus, the Red Flags Rule generally complements rather than duplicates the HIPAA data security requirements.”