Recently adopted legislation narrows the applicability of the FTC’s Red Flags Rule so that service providers, including health care service providers, are not subject to the rule merely because they are not paid in full at the time of service.
On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act of 2010 (Clarification Act). The Clarification Act narrows the categories of individuals and entities that are “creditors” subject to the U.S. Federal Trade Commission’s (FTC) Red Flags Rule, which requires identity theft detection and prevention programs. As a result, certain service providers, including physicians, other health care service providers, lawyers, accountants and other professionals will not be required to implement identity theft prevention programs merely because they accept insurance payments, or otherwise do not collect payment in full at the time of service.
Why a Clarification Act?
The Red Flag Program as adopted by Congress was highly controversial because the FTC took an expansive view of who had to comply with the Red Flags Rule, and it can be expensive and complicated to establish an identity theft prevention program. Prior to the Clarification Act, a creditor subject to the Red Flags Rule was any creditor as defined under the Fair Credit Reporting Act (FCRA), which is “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” The FTC interpreted this to include physicians and other health care providers who accept insurance or who permit payment plans by patients, as well as lawyers and other professionals who do not receive payment in full at the time of service.
In May 2010, the FTC postponed the Red Flags Rule’s enforcement for a fifth time, delaying implementation until December 31, 2010. The postponement reportedly was due in part to pending lawsuits from professional associations, such as the American Medical Association, over whether physicians are creditors under the Red Flags Rule, merely because they do not collect payment in full at the time of service. In the midst of these disputes, FTC Chairman Jon Leibowitz stated publicly that “[w]e agree with you the red flags rule reaches too far,” but the FTC pointed out the definition would have to be modified by Congress, if at all.
Who must comply with the Red Flags Rule?
The Clarification Act limited the application of the Red Flags Rule only to creditors (as defined under the FCRA above) that regularly and in the ordinary course of business:
Obtain or use consumer reports in connection with a credit transaction
Furnish information to consumer reporting agencies in connection with a credit transaction
Advance funds to or on behalf of a person who has an obligation of repayment
The Clarification Act excludes from the third category any entity or individual that advances funds on behalf of a person for expenses incidental to a service provided by the entity to that person.
The Clarification Act also provides that a federal banking agency, the National Credit Union Administration, or the FTC may promulgate a rule making any other type of entity or individual subject to the Red Flags Rule if the agency determines the entity or individual “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.” Thus, even with the passage of the Clarification Act, the FTC could still require hospitals or other health care providers to comply with the Red Flags Rule (if the FTC determines the provider maintains accounts that are subject to a reasonably foreseeable risk of identity theft).
Are all service providers exempt from the Red Flags Rule?
Unfortunately, while the purpose of the Clarification Act was to exempt physicians and other service providers from the Red Flags Rule merely because they accept insurance or otherwise do not receive payment in full at the time of service, it has created confusion by not identifying excluded professions or defining the terms “expenses,” “incidental” or “service” in the third category of creditor subject to the Red Flags Rule. Further, the FTC has stated informally that certain service providers may still be subject to the Red Flags Rule. While the FTC is expected to issue interpretive guidance to the Clarification Act, until such time a service provider should consider implementing an identity theft prevention program in compliance with the Red Flags Rule if it answers yes to any of the following questions:
Does the service provider regularly and in the ordinary course of business obtain or use consumer credit reports from Experian, TransUnion, Equifax or any other credit reporting agency in connection with a credit transaction, i.e., a transaction in which the provider defers payment of an amount due? For example, does a health care provider regularly obtain a credit report before entering into an extended payment plan for cosmetic procedures or other health care services not covered by insurance?
Does the service provider regularly and in the ordinary course of business report consumer credit information to Experian, TransUnion, Equifax or any other credit reporting agency in connection with a credit transaction? For example, if a patient or other customer of the service provider does not make payments within a certain amount of time, does the service provider report the delinquent account to a credit reporting agency?
Does the service provider regularly and in the ordinary course of business advance funds to or on behalf of a person who has an obligation of repayment as part of an extended payment plan or other loan transaction? For example, does the service provider regularly and in the ordinary course of business enter into payment plans to allow for multiple payments over time for cosmetic surgery or other elective health care services not covered by insurance?
What steps should service providers take to prevent identity theft?
Although most service providers may now be excluded from the Red Flags Rule, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. As noted in FTC Issues Preliminary Privacy Report, Seeks Comment from Stakeholders, the FTC recently issued its preliminary guidelines for offline and online businesses that collect consumer information. The report presents a proposed framework for how the industry, consumers and policymakers should think about consumer privacy protection. These guidelines, while not having the effect of law, apply to any offline or online company that collects, maintains and uses consumer data and, unlike the Red Flags Rule, applies regardless of a company’s status as a “creditor.” The guidelines also suggest the FTC will pursue enforcement actions under the FTC Act where companies do not take reasonable privacy protection measures scaled to the level of risk their privacy practices pose. As such, it would be prudent for service providers to implement reasonable privacy practices, even if they fall outside the Red Flags Rule.