FTC Delays Enforcement of Red Flags Rule Against Doctors & Hospitals Until Appeals Court Rules

Posted on July 2, 2010 by Gabriel M. Helmer

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

Tags: , , , , , , , , , ,

AMA Adopts Principles on EMR Breach

Posted on June 22, 2009 by Colin J. Zick

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached.  The new AMA guidelines ask physicians to:

  1. ensure patients are properly informed of the breach and the potential for harm;
  2. follow ethically appropriate procedures for disclosure, including:
    a) confidential disclosure of the breach in a timely manner; and
    b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
  3. support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and 
  4. to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer: 

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt.  What about when the interests are not clear, or the interests of patients conflict?  No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point.  It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

Tags: , , ,