Publications: Red Flags Rule Clarification Act Signed into Law; Removes Most Physicians and Other Providers from Sweep of Identity Theft Red Flags Rule

On December 20, 2010, President Obama signed the Red Flag Program Clarification Act of 2010 (Clarification Act) into law. The new law limits the scope of the Federal Trade Commission’s (FTC’s) Red Flags Rule which requires “creditors” to detect, prevent, and mitigate identity theft.

Section 2(a) of the Clarification Act amends the Fair Credit Reporting Act, 15 U.S.C. § 1681(m)(e), by defining the previously ambiguous term “creditor.” The Clarification Act states that a “creditor” is someone who engages in one or more of the following activities:

1. Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
2. Furnishes information to consumer reporting agencies…in connection with a credit transaction; or
3. Advances funds to or on behalf of a person based on an obligation to repay the funds.

In order to account for services delivery models by professionals and health care providers where the relationship really is not that of a creditor/debtor, the Clarification Act goes on to exclude from the third “creditor” activity those who “advance [ ] funds on behalf of a person for expenses incidental to services provided by the creditor to that person.” For example, where a provider provides a service and then later seeks reimbursement (e.g., payments from an insurance company and copayments from the patient), such provider is not extending credit, absent some other “creditor” activity noted above. This exclusion from the third type of “creditor” activity is significant, because prior to the clarification the FTC had taken the position that any physician, other healthcare provider, or other professional who did not require complete payment at the time of service may be considered a “creditor” for purposes of the Red Flags Rule.

Accordingly, a physician or health care provider is no longer subject to the Red Flags Rule unless engaging in an unexcluded creditor activity. For example, a physician or hospital that runs a credit check on a patient in connection with setting up an installment plan would still be subject to the Red Flags Rule. Creditors that remain within the scope of the Red Flags Rule must have identity theft prevention and detection programs in place by December 31, 2010.

Additionally, other laws and regulations such as HIPAA continue to apply to most health care providers and require protection of certain personal information such as social security numbers and other information otherwise addressed by the Red Flags Rule.

Should you have any questions or need guidance regarding rules and regulations that govern identity theft or other privacy measures for physicians or other healthcare practitioners please contact a member of the Ungaretti & Harris Healthcare Group.