To no one’s surprise, federal legislation doesn’t always do what its architects originally intended. A bill designed to protect consumers from identify theft can instead leave small hospitalist practices and other healthcare businesses in the lurch over whether they must meet stringent antitheft requirements intended for credit-card companies and banks. A bill designed to add millions of patients to the ranks of the insured could instead subtract millions of dollars from the reimbursements hospitals and doctors receive from private insurers.
—Jon Leibowitz, chairman, Federal Trade Commission
So What’s to Be Done?
An effort to correct one of these lingering headaches—known as the “Red Flags Rule”—is again on the table, though not everyone’s convinced it might finally be fixed seven years after it was first enacted. The rule, folded into the Fair and Accurate Credit Transactions Act of 2003, required the Federal Trade Commission (FTC) and other government agencies to come up with specific measures that “creditors” and “financial institutions” would have to design and implement to counter the growing risk of identity theft.
As intended, these measures would help businesses “identify, detect, and respond” to anything that might suggest identity theft. In other words, they could throw up red flags to warn of illegal activity.
But five years later, as the act’s Nov. 1, 2008, enforcement date was approaching, no one seemed to know exactly which businesses should be considered “creditors.” The act’s vague wording, in fact, created widespread fear that a measure designed principally for banks and credit-card companies would also apply to small accounting, legal, and healthcare practices, saddling them with cumbersome and expensive vetting protocols.
Thus began a series of requests by federal legislators that the FTC delay enforcement until the confusion could be sorted out. After three delays, including the latest pushback from June 1 through the end of this year, the commission’s patience is wearing thin. FTC Chairman Jon Leibowitz has been clear about the agency’s frustration over the extensions in lieu of a permanent resolution.
“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule—and to fix this problem quickly,” he said in a May 28 release. “As an agency, we’re charged with enforcing the law, and endless extensions delay enforcement.”
The not-so-subtle jab at Congressional inaction was aimed at one chamber in particular. Bill HR3763, which adds clarifying language to the rule and specifically excludes accounting, legal, and medical practices with 20 or fewer employees, sailed through the House of Representatives last October by a vote of 400-0. And then it promptly hit a giant sandbar in the form of the Senate. On May 25, Sen. John Thune (R-S.D.) and Sen. Mark Begich (D-Alaska) attempted a relaunch with their introduction of S3416, a near carbon copy of the House bill.
The measure is hardly a fait accompli, given the Senate’s recent track record, but a spokesman for Sen. Thune said the senator’s office is expecting a resolution before the FTC’s latest extension expires. Citing the commission’s decision to delay enforcement soon after the Senate bill’s introduction, he said, “We interpret that as an indication that they want to give Congress time to act, so we’re very optimistic that something will happen this year.”
Of course, the enforcement delay also might have something to do with the joint lawsuit filed May 21 by the American Medical Association, American Osteopathic Association, and the Medical Society of the District of Columbia. In their complaint, the three medical associations charged that the FTC’s application of the rule to physicians is “arbitrary, capricious, and contrary to the law.”