The American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit in federal court seeking to prevent the Federal Trade Commission (FTC) from imposing on physician practices the FTC "Red Flags Rule" regarding consumer identity theft protection.

The lawsuit, filed in federal court in Washington on May 21, 2010, alleges that the FTC exceeded its authority under the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") by extending the application of the Red Flags Rule to physicians. According to the suit, the application of the Red Flags Rule to physicians is "arbitrary, capricious and contrary to the law."

FACTA and the Red Flags Rule are aimed primarily at financial institutions and other "creditors" who maintain "covered accounts" such as credit cards or loans. The rule requires "creditors" to implement written identity theft prevention and detection plans. The definition of "creditor" was written broadly in the statute and the FTC interpreted it to include health care organizations, including physician practices, that provide services and later bill patients on an installment program. The Rule was originally set to go into effect Nov. 1, 2008 but has been delayed several times in the face of pressure to limit its applicability. It is currently scheduled to go into effect June 1, 2010.

In the lawsuit the medical associations argue that physicians are not commonly referred to as "creditors," and patients are not ordinarily thought of as "account holders or customers." FACTA uses these terms "to refer to entities whose business is providing credit and to customers of such entities." The lawsuit argues that physicians should not be considered creditors simply because they accept payment after services are rendered. The lawsuit points out the patient care benefits to delaying demand for payment and stresses the fiduciary relationship a physician has with a patient. It also points to the complexity of determining financial liability when a patient is covered by insurance and argues that the patient may not have a "debt" to the physician, due to contractual obligations the physician has with the patient's insurer.

The lawsuit points to public policy reasons why the Red Flags Rule is not necessary for physicians, stressing that physicians are required to protect patient privacy under the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state laws. The associations argue that adding Red Flags Rule compliance will impose an additional and unnecessary administrative burden on physician practices. The lawsuit seeks a declaratory judgment finding that the FTC Red Flags Rule is inapplicable to physician members of the medical associations and state medical societies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.