AMA and AOA Sue Federal Trade Commission to Exclude Physicians From "Red Flags Rules"

May 21, 2010

May 21, 2010 — The American Medical Association (AMA) and the American Osteopathic Association (AOA) today filed a lawsuit against the US Federal Trade Commission (FTC) to prevent the agency from subjecting medical practices to identify-theft regulations called "Red Flags Rules."

The Red Flags Rules are so named because financial institutions and credit-extending businesses like auto dealerships covered by the regulations must draft written plans on how they will look for warning signs, or red flags, of identity theft, and respond to any they find.

In their lawsuit, the 2 medical associations contend that physicians are already addressing privacy concerns under the Health Insurance Portability and Accountability Act (HIPAA) and that the Red Flags Rules would impose an unnecessary administrative burden on them, not to mention interfere with the physician-patient relationship. They also argue that physicians do not amount to creditors under the law simply because they allow patients to pay their bills after the time of service.

Another plaintiff in the suit, filed in a federal district court in Washington, DC, is the Medical Society of the District of Columbia.

Suit Argues That Physicians Are Sometimes Forced to Defer Payment

The Red Flags Rules stem from the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Businesses covered by the regulations were supposed to fully comply with them by November 1, 2008, but the FTC extended the deadline several times, finally making it June 1, 2010.

In its lawsuit, the medical-society plaintiffs argue that physicians do not fit the definition of a creditor as it appears in FACTA. Furthermore, physicians are sometimes forced to forgo collecting from patients at the time of service. Sometimes the patient is simply under stress. Other times, a patient is receiving emergency care, and he or she may even be unconscious.

"It would violate the norms of human decency, not to mention principles of ethical conduct...for a physician to demand payment at the time of service in such situations," the lawsuit states.

It adds that when patients are insured, medical practices may not know the patient's share of the charge until after the insurer has processed the claim. Some insurance contracts even prohibit physicians from collecting from patients at the time of service.

The FTC requirement to check out each patient's identity in advance of treatment poses a patient-care problem as well, according to the suit. "The FTC requires physicians to approach each new patient with skepticism concerning his or her identity," the suit states. This policy "compromises physicians' ability to gain new patients' trust, which is essential to the well-being of patients."

FTC Says Red Flags Rules Are Needed to Prevent Medical Identity Theft

The FTC has already responded to many of the objections that organized medicine has made regarding the Red Flags Rules, and it has stuck to its regulatory guns about applying them to physicians.

In a February 2009 letter to the AMA, the FTC asserts that physicians are indeed covered by the definition of creditor in the Red Flags Rules and noted several ways in which they act like creditors, such as requiring patients to sign financial-responsibility statements and reporting medical debts to consumer reporting agencies.

The agency maintains that the Red Flags Rules are relevant to healthcare in light of the growing problem of medical identity theft, in which "a patient seeks care using the name and insurance information of another person." Some providers, the agency stated, are already asking patients for a photo ID to prevent this fraud.

Implementing Red Flags policies, tailored to each practice's circumstances, need not impose "significant burdens for most providers," according to the FTC letter. A Red Flags program might be as simple as asking patients for a photo ID and having a procedure in place to deal with cases of pilfered identity.

The FTC also stated that the Red Flags Rules do not duplicate the privacy and data security requirements that HIPAA imposes on physicians, but rather, generally complements them.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: