Taking steps to combat identity theft, the Federal Trade Commission (FTC) issued a final rule in November of 2007 which mandates all financial institutions and “creditors” to develop and implement identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Originally set to be in place by November 1, 2008, the FTC announced the new compliance deadline to be May 1, 2009.
The problem of course is that physicians are rarely creditors.
Under the FTC’s extremely broad definition of a “creditor”, physicians are included and must adhere to this compliance date; taking immediate steps which will be financially burdensome for most hospitals and private practices. According to MedPage Today, in a survey of 100 hospitals, 91 said they would have to spend over $10,000 to comply with the Red Flags Rule. Any failure to comply with this new rule would warrant $2,500 per violation.Physicians are “creditors”? If you disagree with that then you are not alone. The American Medical Association (AMA) along with over 100 undersigned medical organizations has written a letter to the chairman of the FTC, respectfully disagreeing with the FTC staff’s conclusion that physicians are “creditors” and must be in compliance with act by May 1st, 2009. The letter also argues that the FTC failed to comply with the Administrative Procedure Act (APA), which requires the FTC to provide the public with notice and the opportunity to comment. Also, this new compliance duplicates much of the preexisting Health Insurance Portability and Accountability Act (HIPAA) compliance that all medical organizations are currently required to follow by law.
A large majority of physicians and managers are not aware of the law itself, let alone the implications it may have on their organization.