Lawsuit delays 'Red Flags Rule' enactment for urologists and other physicians

September 1, 2010

Implementation of the "Red Flags Rule" by the Federal Trade Commission, which would require medical practices and other businesses to take specific steps to minimize identity theft and which has been challenged by the AUA, has been delayed until a federal appeals court rules on a lawsuit by the American Bar Association.

A federal district court last October agreed with the ABA's challenge of the FTC's decision to require attorneys to comply with the Red Flags Rule, and on July 21, the agency filed an appeal. The FTC contends that lawyers act as creditors when they provide legal services without immediate payment from the client-essentially the same position taken by the agency with respect to physicians.

The rule requires covered businesses to develop a written program to spot the warning signs-or "red flags"-of identity theft. The intention is to protect consumers from identity theft by requiring businesses to show they can protect sensitive financial and personal data.

The agreement was reached with the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia, which filed its own suit against the FTC on May 21. In that suit, joined by the AUA and a number of other specialty societies, the medical groups also argued that physicians are not creditors, as stated by the FTC, and should not be forced to meet the regulation's privacy protection requirements.

Under intense pressure from numerous businesses and members of Congress, the FTC on May 28 delayed enforcement of the Red Flags Rule from the previous effective date of June 1, 2010 to Dec. 31. The latest action resulting from the ABA's case now means that physician compliance likely will be delayed past that date.

The FTC was scheduled to answer the physician groups' lawsuit by July 20, but that date was delayed until 60 days after the appeals court's decision in the ABA case.