FTC Suspends Enforcement of Red Flags Rule Until August 1

Date: 07/14/2009
Author(s): Jennifer Sullivan, Sharon Caulfield

Please be advised that the Federal Trade Commission has extended the deadline for compliance with the Red Flag Rules until August 1, 2009.
For more information, please see www.ftc.gov/opa/2009/04/redflagsrule.shtm or contact Caplan and Earnest at (303) 443-8010. 

FTC Red Flag Rules – New Compliance Requirements for Health Care Providers

On November 9, 2007, the Federal Trade Commission (FTC) published "Red Flag Rules" which require certain "creditors" to implement an identity theft program by November 1, 2008. Many in the health care industry have been surprised to learn that the FTC is interpreting these rules as having application to hospitals, physicians, and other health care providers. Acknowledging the widespread confusion about the Red Flag Rules, the FTC has announced that it will delay enforcement of the rules for a six month period. However, health care providers should take steps now to determine whether they are covered by the Red Flag Rules and, if they are, begin compliance planning. Additionally, some providers may be subject to separate requirements relating to notices of address discrepancies and address changes. The obligation to adopt these address-related procedures has not been delayed.

Who Must Adopt an Identity Theft Program?

The FTC’s Red Flag Rules apply to "creditors" that offer or maintain "covered accounts." Whether a health care provider meets these criteria requires a two-step analysis. First, is the provider a creditor because it "regularly extends, renews, or continues credit; regularly arranges for the extension, renewal or continuation of credit; or is an assignee of an original creditor who participates in the decision to extend, renew or continue credit." Secondly, if the provider is a creditor, does it maintain "accounts" which are primarily for personal, family or household purposes and involve or are designated to permit multiple payments or transactions or any other account with a reasonably foreseeable risk to customers or the creditor from identity theft. For purposes of the rules, an account may include an extension of credit such as the purchase of services involving a deferred payment.

Representatives of the FTC have indicated that health care providers may qualify as creditors with covered accounts based upon the financial arrangements that they make with patients. For example, the FTC has indicated that health care providers may be creditors with covered accounts if they bill patients after services are provided or insurance benefits are received. In September 2008, the American Medical Association (AMA) sent a letter to the FTC disputing this interpretation of the Red Flag Rules. Although the FTC subsequently delayed enforcement of the rules, it has not announced any change in its position. Therefore, physicians, hospitals, and other health care providers should independently assess whether they are covered by the rules.

Required Elements of Identity Theft Program

Providers that are covered by the Red Flag Rules must conduct a risk assessment and adopt a program for the detection, prevention, and mitigation of identity theft. The identity theft program must be adopted by the provider’s governing board and must include the following elements: (i) a list of red flags (patterns, practices, and/or specific activities that indicate the possible existence of identity theft); (ii) procedures for detecting red flags; (iii) procedures for responding appropriately to any red flags that are detected; (iv) procedures for periodically reviewing and updating the program to reflect changes in identity theft risks and other relevant circumstances; (vi) procedures for exercising oversight over identity theft activities of persons and entities providing services directly to the covered entity; (vii) staff training; and (viii) continuing board oversight of the development, implementation, and administration of the program.

Other Duties

Health care providers that request reports from consumer reporting agencies (credit bureaus) must adopt procedures to investigate and respond to notices of address discrepancies received from an agency. If a provider issues payment cards, additional procedures are required when a notice of address change is followed by a request for an additional or replacement card. These requirements are separate from the Red Flag Rules and do not require the health care provider to be a creditor with covered accounts.

Timing Issues

Although the FTC has delayed enforcement of the Red Flag Rules, the November 1 effective date has not been changed. As noted by some commentators, this discrepancy may create risk exposure in some situations – e.g., if a person is harmed by conduct that would have been prevented if an identity theft program were in place after the effective date of the rules. Covered providers can reduce this risk as well as the financial losses associated with identity theft by implementing an effective red flag program as soon as possible. Additionally, health care providers should take immediate steps to comply with the FTC’s address-related requirements when applicable.

Additional Information

The Red Flag Rules can be found at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=9437ad0ef3db42bd9114d82b3e47d931&tpl=/ecfrbrowse/Title16/16cfr681_main_02.tpl.  


If you have any questions or would like additional information, please contact Jennifer Sullivan at (303) 443-8010.