The Federal Trade Commission (FTC) has announced an additional enforcement delay of the ‘Red Flags’ identity theft rule. At the request of pro-optometry Members of Congress, the agency has extended the enforcement deadline until June 1, 2010. The AOA is now working to advance a measure in Congress that would exempt small business optometry practices from having to comply with the new requirements.

 Originally, the Red Flags rule was due to take effect in October 2008. However, objections raised by Rep. Nydia Velazquez (D-NY), the Chair of the Small Business Committee, the AOA and other organizations have resulted in FTC officials announcing four separate delays in their plan to begin enforcement of the rule. 

 Under legislation passed in 2003, businesses determined to be “creditors” would be required to implement appropriate programs to prevent and detect identity theft.  The regulation is targeted primarily at banks and other financial institutions which over recent years have reported growing numbers of serious identify theft incidents.

 However, the FTC has indicated that health care practices fit within the legislative definition of “creditors” and would be required to comply with the new regulation. While the FTC has not disputed AOA concerns that the new requirement is applied too broadly, the agency has indicated that it does not believe that it has the flexibility to interpret a more narrow definition without a legislative fix from Congress.

 On October 18, the U.S. House of Representatives overwhelmingly approved AOA-backed legislation to exempt small business optometry practices with 20 employees or fewer from having to comply with the far-reaching rule. Sponsored by Rep. John Adler (D-NJ), the bill (HR 3763) would provide an exemption for ODs and other health care providers as well as a mechanism for those over the 20-employee threshold. The AOA is now working to advance similar legislation in the U.S. Senate.  

Rep. Adler’s bill would specifically exempt optometry practices with 20 or fewer employees and also provide the FTC with an option of excluding larger health care practices other small businesses if they submit an application which meets the following criteria: the business knows all of its customers or clients individually, only performs services in or around the residences of its customers or has not experienced incidents of identity theft and identity theft is rare for businesses of that type. 

The AOA has also been successful in winning inclusion of favorable report language within the FY 2010 Financial Services and General Government appropriations bill requesting the FTC to further delay implementation of the Red Flags rule as it continues to work with the small business community to minimize the resulting burdens. Since then, the FTC has expressed a desire to delay enforcement to provide Congress with the opportunity to legislatively fix the statute.

HR 3763 will need to be cleared by the U.S. Senate and sent to President Barack Obama's desk to be signed into law before ODs are released from the requirements of the new regulation. However, the latest enforcement delay provides additional time to press for needed changes and secure a legislative fix.

Identify theft prevention measures that may be appropriate for optometric practices can be found in the Red Flags rule compliance guide, which can be accessed on the AOA Web site at www.aoa.org/FTCRedFlags.xml