An author on Red Flags Rule compliance tells HealthLeaders Media that eliminating small practices from complying with the FTC's identity theft prevention program regulation would lead to more identity violations.
In December 2009, the U.S. District Court issued a summary judgment in favor of the American Bar Association that said the Red Flags Rule does not apply to attorneys or law firms.
Piggybacking off that decision, a group that includes the American Dental Association, American Medical Association, American Osteopathic Association, and the American Veterinary Medical Association wrote a letter to the FTC urging it to remove them from compliance. Also, the House passed a bill last year that calls for removing entities with 20 or fewer employees from Red Flags Rule compliance.
The FTC's compliance date with Red Flags has been in effect for nearly a year and a half (November 1, 2008). The enforcement date, however, has been delayed four times. It is now June 1, 2010.
Randy Berry, BA, CPA, financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, says it would be unfortunate if entities with 20 or fewer employees are let off the compliance hook.
"Smaller businesses with small multi-tasking staffs have fewer controls and are more at risk than that of larger businesses with a larger staff size," says Berry, author of the Red Flag Manual and Training CD Package. "Small businesses are more prone to customer identity theft."
The FTC is fighting back to get smaller entities to comply. On February 25, FTC filed a notice that appeals the U.S. District Court's December judgment in favor of the ABA's stance that attorneys and law firms are not considered "creditors," per the FTC's Red Flags Rule definition. (All "creditors" must comply).
"We are disappointed that the Federal Trade Commission has decided to appeal its loss of the Red Flags litigation in the District Court," ABA President Carolyn Lamm said on the ABA's Web site.