Skip to main content

Red Flags Rule Compliance Date Approaching - American Medical Association Sues

It’s been a while since we have visited the Federal Trade Commission’s Red Flags Rule here in this blog. The oft-postponed deadline is now fast approaching on June 1. Except, that is, for lawyers and now, doctors.

On Friday, the American Medical Association filed a lawsuit against the FTC for defining physicians as “creditors” and claiming that requiring physicians to comply with the Red Flags Rule could jeopardize the doctor-patient confidential relationship. The Red Flags Rule (to refresh your memory) requires that “creditors” establish identity theft protection programs and would likely require physicians to obtain positive identification of patient identity – before providing treatment, as argued by the AMA.

The lawsuit argues that the FTC acted beyond its authority because physicians are not creditors and patients are neither accountholders nor customers under the Fair and Accurate Credit Transactions Act (FACTA). The latter is a more likely argument than the former. Under FACTA, an “entity that regularly defers payment for goods or services” can be considered to be a creditor and physicians routinely bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. I have been in doctor’s offices over the last 6 months where new patients are asked for their insurance card, and their driver’s license or a photo ID. This would seem to be a small step towards controlling medical identity theft.

Read about medical identity theft at World Privacy Forum Medical Identity Theft Page

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.