Skip to content Skip to navigation

The Red Flags Rule: Third Time Is Not The Charm

August 3, 2009
by Reece Hirsch
| Reprints

On July 29, the Federal Trade Commission postponed enforcement of the controversial Red Flags Rule for the third time, extending the compliance deadline from August 1 to November 1. Healthcare industry groups have been among the loudest critics of the Red Flags Rule (along with the American Bar Association and the National Retail Federation). As I have noted in previous posts, at issue is the broad range of entities classified as "creditors" that are required to implement identity theft prevention programs.

"Creditor" is defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit." 16 C.F.R. sec. 681.2(b)(5). Creditors include banks, credit card issuers, and companies that offer installment payments. Credit also includes the right granted by a creditor to purchase services and defer payment for the services. It is the FTC's view that hospitals, medical groups and other health care providers that defer payment for services are creditors, and thus must implement programs designed to detect relevant patterns, practices and specific activities that are "red flags" for possible identity theft.

In an article posted on the FTC website, the FTC clarifies that health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service also does not make you a creditor under the Rule.

Health care providers should not assume that this reprieve from Red Flags compliance will be extended beyond November 1. The FTC has stated that it will spend the coming months providing additional education and guidance regarding Red Flags Rule compliance, and has given no indication yet that it is backing down from its broad interpretation of the definition of "creditor" … even in the face of mounting criticism and possible legal challenges.

 

Topics

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...