The filing of a lawsuit on May 21, 2010 by the American Medical Association (AMA) against the Federal Trade Commission (FTC) could signal yet another delay of the enforcement deadline of the Red Flags Rule.
The Red Flags Rule requires many businesses to develop, implement and administer an Identity Theft Prevention Program designed to detect the warning signs (or red flags) of identity theft, as well as to prevent and mitigate them. Similar to an AML program, the Identity Theft Prevention Program should be tailored to the risks of identity theft and must contain certain core elements.
The FTC’s original enforcement deadline of November 1, 2008 for non-bank entities has been delayed several times already and currently is scheduled to take effect on June 1, 2010. Federal regulatory banking agencies have already begun enforcing the rule.
The AMA’s lawsuit (pdf), filed on behalf of physicians, follows on the heels of successful lawsuits brought by the American Bar Association (ABA) on behalf of lawyers and the American Institute of Certified Public Accountants (AICPA) on behalf of accountants. In those cases, federal courts granted summary judgment for the ABA and enjoined the FTC from enforcing the Red Flags Rule against accountants for 90 days after a decision has been rendered by the court of appeals in the ABA case.
Congress is also considering legislation that would provide exemptions from the Red Flags Rule for certain professions, including lawyers, accountants and physicians. Despite passing in the House of Representatives by a 400-0 vote on October 20, 2009, H.R. 3763 (pdf) has yet to be considered by the Senate, and no related bills have been introduced in the Senate.
In light of the federal court’s injunction preventing enforcement of the FTC’s Red Flags Rule against accountants, it appears probable that a similar injunction will be entered in the action filed by the AMA. That is, the court may decide that the interests of justice are best served by enjoining enforcement of the Red Flags Rule against physicians until the FTC’s appeal in the ABA case has been decided.
In the meantime, hospitals, physicians’ offices, and other businesses that may be subject to the Red Flags Rule should become knowledgeable about the Red Flags Rule’s requirements and prepare to implement an Identity Theft Prevention Program in the event the enforcement deadline is not delayed past June 1, 2010.