Red Flags Rule No Longer Applicable to Healthcare Providers

In the first case to discuss the Red Flag Program Clarification Act of 2010 (“Clarification Act”), the Court of Appeals for the DC Circuit dismissed the American Bar Association’s (ABA) lawsuit against the Federal Trade Commission (FTC) as moot. This dismissal is significant to healthcare providers as the reasoning behind the dismissal is directly analogous to the application of the Red Flags Rule to healthcare providers.

The ABA’s suit followed the issuance of the FTC of an Extended Enforcement Policy which explained that “professionals, such as lawyers or health care providers, who bill their clients after services are rendered,” would be considered “creditors” under the statute and, therefore, subject to the Rule’s requirements. The Court determined that the Clarification Act mooted the case because “the Clarification Act . . . clarifies that, to be a ‘creditor’ subject to the Red Flags Rule requirements, one must not only regularly extend, renew, or continue credit . . . , but must also ‘regularly and in the ordinary course of business,’ (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment.” The Court determined that the Clarification Act “made it clear that a creditor’s allowance of deferred payments alone could not trigger the identity theft protection requirements.”

The Court clarified that the ability to defer payment “is no longer enough to make a person or firm subject to the FTC’s Red Flags Rule – there must now be an explicit advancement of funds. In other words, the FTC’s assertion that the term ‘creditor,’ as used in the Red Flags Rule and the FACT Act, includes ‘all entities that regularly permit deferred payments for goods or services,…is no longer viable.” The Court’s decision echoes the legislative history of the Clarification Act, in which Senator Dodd commented that the design of the Clarification Act “makes clear that lawyers, doctors…and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule…”

Although the case involved the application of the Red Flags Rule to lawyers, the Court’s analysis should be equally applicable to healthcare providers, which were previously subject to the Red Flags Rule because of deferred payment for medical services. The Court’s ruling makes it clear that healthcare providers will no longer be deemed creditors under the Red Flags Rule based on their payment method of providing services and billing for those services later.

However, the Court also noted that it would not prematurely comment on any new rules the FTC may promulgate. The FTC has the authority to engage in rulemaking to include entities within the coverage of the Red Flags Rule that maintain accounts subject to a reasonably foreseeable risk of identity theft.

If you have any questions regarding the Red Flags Rule and its application to healthcare entities please contact Elana Zana.

The Red Flags Rule Clarified – May Exclude Healthcare Providers

Earlier this week President Obama signed the Red Flag Program Clarification Act of 2010, which attempts to clarify the definition of creditor and may exclude some healthcare providers from implementing a Red Flags Rule Identity Theft Program.  The Clarification Act does not specifically exclude healthcare providers from the definition of creditors.  Rather, it redefines the term “creditor” and provides an exception.  In the new definition the term creditor does not include an entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  Many healthcare organizations are reading this new definition to specifically exclude healthcare providers from the authority of the Red Flags Rule and the FTC. 

However, the Clarification Act does not specifically exempt healthcare providers and in fact gives the FTC discretion to define as a creditor an entity that “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  This may mean that the FTC includes some healthcare providers in future rule making.

Currently, the Red Flags Rule is the subject of two legal challenges, one by the American Bar Association and another by several medical groups.  The lawsuits argue that the FTC exceeded its authority with its broad definition of creditors.  The lawsuits are still pending.

The FTC has delayed enforcement of the Red Flags Rule on several occasions.  Enforcement of the Red Flags Rule has been postponed until December 31, 2010.

For more information please contact Elana Zana.

FTC Extends Enforcement of Red Flags Rule to December 31, 2010

The FTC has extended the deadline for enforcement of the Red Flags Rule until December 31, 2010, with the hope that Congress will remedy some unintended consequences of the legislation establishing the Red Flags Rule.  For more information and to read the FTC press release click here.   Other guidance materials may be found on the MRSC and FTC websites and on previous blog postings.

FTC Extends Enforcement Deadline for Red Flags Rule to June 1, 2010.

The FTC has extended the deadline for enforcement of the Red Flags Rule until June 1, 2010, at the request of Congress.  This delay comes on the heels of a U.S. District Court ruling on October 30, 2009, which held that the FTC may not apply the Red Flags Rule to law firms.  The Commission previously delayed enforcement of the Rule until November 1, 2009.  The FTC’s Press Release may be found here.  Other guidance materials may be found on the MRSC and FTC websites and on previous blog postings.