FTC Red Flags Suits Come to an End as Lawyers and Doctors Are Exempted

Posted on March 12, 2011 by Colin J. Zick

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."

Tags: , , , , , , , , , , ,

AMA Adopts Policy on "Professionalism in the Use of Social Media"

Posted on November 29, 2010 by Colin J. Zick

The American Medical Association recently published a policy on "Professionalism in the Use of Social Media," in an apparent attempt to address growing concerns about patient confidentiality and privacy in various internet settings. 

While the policy mostly consists of "considerations" that physicians should "weigh" when maintaining an online presence (none of which are new or earth-shattering), there was one notable exception -- a snitch rule: 

"When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities." 

(Emphasis added.)

The specific considerations in the AMA policy are as follows:

(a) Physicians should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments, including online, and must refrain from posting identifiable patient information online.

(b) When using the Internet for social networking, physicians should use privacy settings to safeguard personal information and content to the extent possible, but should realize that privacy settings are not absolute and that once on the Internet, content is likely there permanently. Thus, physicians should routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and, to the extent possible, content posted about them by others, is accurate and appropriate.

(c) If they interact with patients on the Internet, physicians must maintain appropriate boundaries of the patient-physician relationship in accordance with professional ethical guidelines just, as they would in any other context.

(d) To maintain appropriate professional boundaries physicians should consider separating personal and professional content online.

(e) When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities.

(f) Physicians must recognize that actions online and content posted may negatively affect their reputations among patients and colleagues, may have consequences for their medical careers (particularly for physicians-in-training and medical students), and can undermine public trust in the medical profession.
Tags: , , , ,

FTC Delays Enforcement of Red Flags Rule Against Doctors & Hospitals Until Appeals Court Rules

Posted on July 2, 2010 by Gabriel M. Helmer

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

Tags: , , , , , , , , , ,

AMA Adopts Principles on EMR Breach

Posted on June 22, 2009 by Colin J. Zick

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached.  The new AMA guidelines ask physicians to:

  1. ensure patients are properly informed of the breach and the potential for harm;
  2. follow ethically appropriate procedures for disclosure, including:
    a) confidential disclosure of the breach in a timely manner; and
    b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
  3. support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and 
  4. to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer: 

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt.  What about when the interests are not clear, or the interests of patients conflict?  No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point.  It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

Tags: , , ,