Alaw protecting consumers from identity theft is a good idea, right? Sure — except when that law means dental offices have to complete paperwork for scenarios that don’t apply to them, as was
the case with the Federal Trade Commission’s Red Flags Rule. Introduced
in 2008, it prompted immediate action
from the American Dental Association,
which successfully alerted its 157,000
members to take action and exempt
themselves from the rule.
What Is the Red Flags Rule?
Approximately eight years ago, Congress
passed the 2003 Fair and Accurate
Credit Transactions Act, in which it
directed the FTC to develop regulations
for creditors, who would be required to
create and enforce identity theft prevention programs for the purpose of detect-ing “red flags” signaling identity theft in
their businesses.
Under the FTC’s Red Flags Rule,
health professionals — including medical doctors, dentists, optometrists and
veterinarians — are considered creditors
because they are defined as “businesses
or organizations that regularly provide
goods or services first and allow customers to pay later.” This interpretation
of the law exposes small businesses,
including dental or medical practices,
to the same considerable fines and
penalties faced by banks and large businesses.
“When the FACT Act was passed,
nobody in the health care world had any
idea that there would be any requirement for dentists or physicians to implement identity theft programs,” says
Mike Graham, ADA interim senior vice
president of government affairs.
In January 2008, the FTC revealed
its full Red Flags Rule regulations. In
September of the same year it notified
health care organizations that the Red
Flags Rule would consider them “credi-
tors.” Full compliance originally was
scheduled for November 2008. Then,
in March 2009, the FTC confirmed to
the ADA that its members were consid-
ered creditors and were thus required to
implement and enforce Red Flags Rules
in their practices.
Breaking the Rules
As most consumers know, when they
first visit a dentist’s office — before
they even see a dentist — they must
fill out multiple informational forms.
Once the forms are complete, they see
the dentist, who gives them a dental
exam and often takes X-rays. Next, the
dentist develops a work plan before any
dental work occurs. Finally, the patient
returns multiple times — sometimes
over the course of several months —
for treatment. Because they often live
in the same communities where they
work, most dentists already know their
patients personally. And even when they
don’t, that their records typically include
X-rays for each patient makes identity
theft extremely difficult.
“We encourage any dental office to
follow the Red Flags Rule as all small
businesses would want to do to prevent
identity theft,” Graham says. “But with
the way these regulations are written
— even if a dental office complies in
good faith and submits the necessary
paperwork — dentists can still get fined
$2,500 if they don’t implement the
rules to the FTC’s satisfaction.”
The ADA estimates that implement-
ing the Red Flags Rule would cost den-
tal offices a minimum of $600 each,
or a total of $72 million. A significant
part of the ADA’s argument is that Con-
gress never intended for the FACT Act
to apply to small businesses, as defined
by the Small Business Administration,
which classifies 99.8 percent of all ADA
members’ dental practices as small
businesses.
When it became clear in late 2008
that the Red Flags Rule would adversely
impact ADA members, the ADA’s Government Affairs department sprang into
action. Then, in early 2009, it hosted
a conference call with the FTC legal
department to state its case.
“It was clear that while the FTC
acknowledged our position, they were
not going to change,” Graham says.
