The Red Flags Rule Clarified – May Exclude Healthcare Providers

Earlier this week President Obama signed the Red Flag Program Clarification Act of 2010, which attempts to clarify the definition of creditor and may exclude some healthcare providers from implementing a Red Flags Rule Identity Theft Program.  The Clarification Act does not specifically exclude healthcare providers from the definition of creditors.  Rather, it redefines the term “creditor” and provides an exception.  In the new definition the term creditor does not include an entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  Many healthcare organizations are reading this new definition to specifically exclude healthcare providers from the authority of the Red Flags Rule and the FTC. 

However, the Clarification Act does not specifically exempt healthcare providers and in fact gives the FTC discretion to define as a creditor an entity that “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  This may mean that the FTC includes some healthcare providers in future rule making.

Currently, the Red Flags Rule is the subject of two legal challenges, one by the American Bar Association and another by several medical groups.  The lawsuits argue that the FTC exceeded its authority with its broad definition of creditors.  The lawsuits are still pending.

The FTC has delayed enforcement of the Red Flags Rule on several occasions.  Enforcement of the Red Flags Rule has been postponed until December 31, 2010.

For more information please contact Elana Zana.