Red Flags Rule No Longer Applicable to Healthcare Providers

In the first case to discuss the Red Flag Program Clarification Act of 2010 (“Clarification Act”), the Court of Appeals for the DC Circuit dismissed the American Bar Association’s (ABA) lawsuit against the Federal Trade Commission (FTC) as moot. This dismissal is significant to healthcare providers as the reasoning behind the dismissal is directly analogous to the application of the Red Flags Rule to healthcare providers.

The ABA’s suit followed the issuance of the FTC of an Extended Enforcement Policy which explained that “professionals, such as lawyers or health care providers, who bill their clients after services are rendered,” would be considered “creditors” under the statute and, therefore, subject to the Rule’s requirements. The Court determined that the Clarification Act mooted the case because “the Clarification Act . . . clarifies that, to be a ‘creditor’ subject to the Red Flags Rule requirements, one must not only regularly extend, renew, or continue credit . . . , but must also ‘regularly and in the ordinary course of business,’ (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment.” The Court determined that the Clarification Act “made it clear that a creditor’s allowance of deferred payments alone could not trigger the identity theft protection requirements.”

The Court clarified that the ability to defer payment “is no longer enough to make a person or firm subject to the FTC’s Red Flags Rule – there must now be an explicit advancement of funds. In other words, the FTC’s assertion that the term ‘creditor,’ as used in the Red Flags Rule and the FACT Act, includes ‘all entities that regularly permit deferred payments for goods or services,…is no longer viable.” The Court’s decision echoes the legislative history of the Clarification Act, in which Senator Dodd commented that the design of the Clarification Act “makes clear that lawyers, doctors…and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule…”

Although the case involved the application of the Red Flags Rule to lawyers, the Court’s analysis should be equally applicable to healthcare providers, which were previously subject to the Red Flags Rule because of deferred payment for medical services. The Court’s ruling makes it clear that healthcare providers will no longer be deemed creditors under the Red Flags Rule based on their payment method of providing services and billing for those services later.

However, the Court also noted that it would not prematurely comment on any new rules the FTC may promulgate. The FTC has the authority to engage in rulemaking to include entities within the coverage of the Red Flags Rule that maintain accounts subject to a reasonably foreseeable risk of identity theft.

If you have any questions regarding the Red Flags Rule and its application to healthcare entities please contact Elana Zana.

The Red Flags Rule Clarified – May Exclude Healthcare Providers

Earlier this week President Obama signed the Red Flag Program Clarification Act of 2010, which attempts to clarify the definition of creditor and may exclude some healthcare providers from implementing a Red Flags Rule Identity Theft Program.  The Clarification Act does not specifically exclude healthcare providers from the definition of creditors.  Rather, it redefines the term “creditor” and provides an exception.  In the new definition the term creditor does not include an entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  Many healthcare organizations are reading this new definition to specifically exclude healthcare providers from the authority of the Red Flags Rule and the FTC. 

However, the Clarification Act does not specifically exempt healthcare providers and in fact gives the FTC discretion to define as a creditor an entity that “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  This may mean that the FTC includes some healthcare providers in future rule making.

Currently, the Red Flags Rule is the subject of two legal challenges, one by the American Bar Association and another by several medical groups.  The lawsuits argue that the FTC exceeded its authority with its broad definition of creditors.  The lawsuits are still pending.

The FTC has delayed enforcement of the Red Flags Rule on several occasions.  Enforcement of the Red Flags Rule has been postponed until December 31, 2010.

For more information please contact Elana Zana.

FTC Extends Enforcement of Red Flags Rule to December 31, 2010

The FTC has extended the deadline for enforcement of the Red Flags Rule until December 31, 2010, with the hope that Congress will remedy some unintended consequences of the legislation establishing the Red Flags Rule.  For more information and to read the FTC press release click here.   Other guidance materials may be found on the MRSC and FTC websites and on previous blog postings.

FTC Extends Enforcement Deadline for Red Flags Rule to June 1, 2010.

The FTC has extended the deadline for enforcement of the Red Flags Rule until June 1, 2010, at the request of Congress.  This delay comes on the heels of a U.S. District Court ruling on October 30, 2009, which held that the FTC may not apply the Red Flags Rule to law firms.  The Commission previously delayed enforcement of the Rule until November 1, 2009.  The FTC’s Press Release may be found here.  Other guidance materials may be found on the MRSC and FTC websites and on previous blog postings.

Delay of Enforcement of Red Flags Rule to November 1, 2009

Today, the FTC announces its third delay of the enforcement of its Red Flags Rule.  This delay will mean that enforcement will now begin a full year later than the originally set date of November 1, 2008.  The FTC’s press release, states that the reason for the delay is to provide FTC staff time to “redouble its efforts to educate [small businesses and other entities] about compliance with the ‘Red Flags’ Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” 

As our previous blog posting discusses, healthcare providers including hospitals, physicians, clinics, and dentists are required to have a Red Flags Rule Identity Theft Policy in place.  Ogden Murphy Wallace is happy to provide assistance in drafting your entity’s policy.  For further information please contact Elana Zana (e-mail addresses are not provided in the blog to avoid spammers). 

Along with the press release, the FTC has published FAQ’s that address how the FTC intends to enforce the Red Flags Rule as well as some additional topics.  Click here to read these FAQ’s.

Red Flags Rule – Delayed Again

On July 29, 2009, the FTC deferred its enforcement of the Identity Theft Red Flags Rules for an additional three month period.  Organizations, labeled as “creditors” by the FTC, will have until November 1, 2009 to implement their Identity Theft Prevention Policies.  Creditors required to comply with the Red Flags Rule include businesses that regularly defer payments or extend credit to personal or household accounts or establish customer accounts in which there is a reasonably foreseeable risk of identity theft.  The FTC broadly interprets its definition of “creditor” examples of which include healthcare providers, car dealerships, utilities, cable companies, and colleges.  Red Flags are indicators of the possible existence of identity theft.  Creditors must create a program that detect Red Flags which may suggest the occurrence of identity theft as well as appropriate methods for mitigating identity theft, preventing identity theft and responding to the Red Flags.  Failure to create a program may result in civil liability and fines from the FTC.  A “Red Flag” itself is a pattern, practice, or specific activity that indicates the possible existence of identity theft.  For example a Red Flag may be the failure of a customer or patient to provide valid identification or notification by a customer that his/her identity has been stolen. 

As a preliminary step a creditor will need to identify if it has covered accounts, which is defined to include an account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”  As a practical matter all patient accounts are considered covered accounts.  This determination includes a risk assessment which takes into account: 1) the methods the creditor provides to open its accounts, 2) the methods the creditor provides to access its accounts, and 3) the creditors previous experiences with identity theft.  This determination and risk assessment must occur on a periodic basis.  [Read more...]