A Red Flag Reprieve for Health Care Providers? The Door Remains Open Pending Federal Agency Action
Recent developments regarding the Identity Theft Red Flags Rule (the Red Flags Rule) may provide a much hoped-for reprieve for many health care providers. New bills passed by Congress appear to remove some providers from the Red Flags Rule.
Pending President Obama’s signature, the legislation will exempt from the definition of “creditor” those businesses “that advance funds on behalf of a person for expenses incidental to a service provided by the [business] to that person.”
Creditors not covered under the legislative exemption will continue to face the looming Red Flags Rule compliance date of Jan. 1, 2011. Furthermore, there is a chance that federal agencies might seek to pull at least some types of health care providers back into the Red Flags Rule.
On Nov. 30, 2010, the U.S. Senate passed the Red Flag Program Clarification Act of 2010 (Clarification Act), S. 8987, and on Dec. 7, 2010, it was sent to the president. A companion bill, HR 6420, also was passed by the House of Representatives on Dec. 7, 2010.
The Clarification Act would exclude from its definition of “creditor,” businesses “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” Although not crystal clear, this definition of “creditor” appears to exclude some health care providers that obtain payment for services after they are rendered. Many a provider, however, may continue to fall within the definition even with the Clarification Act.
Moreover, the Clarification Act would allow certain regulatory agencies “listed in 15 U.S.C. 1681m(e)(1)” (which essentially are the Federal Trade Commission (FTC), the federal banking agencies, and the National Credit Union Administration) to extend the Red Flags Rule to cover businesses with accounts that are “subject to a reasonably foreseeable risk of identity theft.” Health care providers will have to stay tuned to see how those agencies, and most notably the FTC, will respond to this invitation to weigh-in on application of the Red Flags Rule.
Significantly, the FTC has voiced apparent concern with medical identity theft and has, in the past, opined that health care providers are among the “creditors” covered under the Red Flags Rule. In fact, the FTC specifically included health care providers among its list of groups that may qualify as examples of creditors (see FTC website for “The Red Flags Rule: Frequently Asked Questions”).
The Red Flags Rule was developed in 2007, at Congress’ direction, by the FTC and five other federal agencies. As published in November 2007, the Red Flags Rule required that financial institutions and “creditors” with “covered accounts” maintain identity theft prevention, detection, and mitigation programs by Nov. 1, 2008. “Creditors” was broadly defined to include businesses that regularly provide goods or services first and allow customers to pay later.
The Red Flags Rule caught many health care providers and other organizations by surprise, with much confusion surrounding exactly who would be covered under the broad scope of the Red Flags Rule. As a result, the FTC delayed enforcement of the Red Flags Rule numerous times. The most recent enforcement date is Jan. 1, 2011, which gives Congress the opportunity to adopt legislation that would limit the types of businesses covered by the Red Flags Rule.
For further discussion of the Red Flags Rule, please see our previous advisories:
"Red Flag Rules Compliance Deadline Approaches: Providers should focus on identity theft prevention program implementation" (February 2009)
"FTC Delays Enforcement of Red Flag Rules to May 1, 2009" (October 2008)
"Health Care Providers: Don't Miss the Red Flags" (August 2008)
"'Red Flag' Identity Theft Programs Required by November 2008" (July 2008)