LifeLock Blog

The Federal Trade Commission has rejected the request to exempt physicians and other health care professionals from the FTC Red Flag, identity theft prevention, laws. It seems the U.S. District Court for the District of Columbia found that the FTC exceeded its authority in enforcing it’s Red Flag laws against attorneys and layers. So I guess the AMA, American Medical Association, thought they would take a stab at trying to get themselves exempt as well. Their first attempt has been rejected.

This does not come as a surprise, the FTC is still trying to appeal the decision brought by the American bar Assn, so it doesn’t makes sense that they would just let the medical professionals off the hook. I understand that these businesses don’t want to implement identity theft programs, like the rules regulate, but it would be for the benefit of their customers.

The Red Flags laws have been delayed several times and it seems that they could be delayed much longer if the lawsuits don’t clear up. It seems the AMA is trying to prevent the FTC from enforcing the regulations until the ABA litigation is resolved. Who knows how long that could take?

I think the Red Flag laws are a good thing and bring some responsibility to creditors. If they are going to lend people money be it a banks, medical, or lawyers they should take the time to unsure they are charging the right person. I think the the Red Flag laws will be most helpful in the medical field due to the large number of medical identity thefts that happen.



Health care related businesses have only two more days to prepare a data breach notification plan. A new rule requiring that health care providers, insurers and clearinghouses must notify individuals whose information has been inappropriately accessed goes into effect September 23.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).