The Red Flag Rules were initially intended to be enforced starting June 1, 2010 but members of Congress decided in a press release issued on May 28th, 2010 to have the Federal Trade Commission (FTC) announce that it would delay enforcement of the Red Flag Rules until December 31, 2010.
Although this was communicated by the FTC on May 28th, 2010, it is recommended that your practice be forewarned as enforcement on these rules could still start before the end of the calendar year.
The reason for Congresses delay is due to the fact they requested another delay in the enforcement timeline because they are still working on the legislation to limit the rules and regulations surrounding the Red Flag Rules. Based on information released by the FTC, "a limited further delay of the rules area justified so that the FTC does not begin to enforce a regulation that Congress plans to over-rule." It is essential to know though that the FTC has stated it will start enforcement before the end of the calendar year if Congress passes a law with an earlier effective date.
The House of Representatives unanimously passed H.R. 3763 on October 20, 2009, which is a bill that would automatically relieve physician practices with 20 or less employees from the Red Flag Rules and allow other practices to request an exemption from the FTC. The bill was introduced to the Senate Committee on Banking, Housing and Urban Affairs on October 21, 2009 but the Senate did not introduce the bill until May 25th, 2010, and no one has voted on it.
The Red Flag Rules requires all creditors, or those who provide goods and or services and allow customers to pay later (i.e. an example is when a medical practice renders service, files the claim and then finds out the patient has not met their deductible and therefore the patient is responsible for that particular date of service and billed accordingly) to implement an Identity Theft Prevention Program. The intentions of the rules are to protect consumers from identify theft by requiring businesses to show they can protect sensitive financial and personal data. Under this definition, the FTC considers most physician practices to be creditors and therefore expects them to implement the necessary procedures and processes to comply with the Red Flag Rules regardless of when they are implemented.