Red Flags Clarification Exempts Most, Not all Providers
A congressional clarification bill passed December 7 has effectively exempted physicians from the Red Flags Rule. Whether hospitals are exempt is unclear.
After years of debate over healthcare’s inclusion in the federal regulation, Senate Bill 3987 effectively exempts from the rule many nonfinancial entities, including physician offices, law firms, and accountant offices.
The American Hospital Association says the bill exempts hospitals. However, some hospitals could still be covered by the rule if they use or report to credit agencies, according to healthcare attorney Kevin Ryan, principal at Chicago-based law firm Much Shelist.
The Senate bill has been reconciled with an earlier House bill and is now awaiting President Obama’s signature into law.
Passed November 2007, the Red Flags Rule required financial institutions and other “creditors” to maintain programs that identify, detect, and respond to “red flag” patterns or activities that could indicate identity theft.
The author and enforcer of the rule, the Federal Trade Commission, interpreted “creditor” to cover entities that provided a service upfront and collected payment later in installments, such as a hospital providing treatment to a patient and then setting up a payment plan.
Some healthcare industry organizations including the American Medical Association disagreed with the interpretation and called the Red Flags Rule an unnecessary burden on providers. Others defended the FTC decision, saying the program would better protect patients from medical identity theft.
The Red Flag Program Clarification Act of 2010 amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill was passed just before the FTC’s five-times delayed enforcement deadline of December 31.
The bill states a creditor is someone who:
- obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
- furnishes information to consumer reporting agencies… in connection with a credit transaction; or
- advances funds to or on behalf of a person based on an obligation of the person to repay the funds
The bill states that entities cannot be considered creditors if “they advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
No Outright Exemption
The clarification act does not outright exempt any industry, including healthcare providers, from inclusion under Red Flags, said Naomi Lefkovitz, senior attorney, division of privacy and identity protection at the FTC. However, the terms make exemption almost certain for certain types of businesses.
A small doctor’s office or veterinary clinic is likely to be exempted because they typically do not use or obtain consumer reports routinely in connection with credit transactions or furnish information to consumer reporting agencies.
But any entity, including a doctor’s office or hospital, that conducts any of the three creditor criteria defined in the clarification bill as part of their normal business practices would still need to develop a identity theft mitigation program as described in the rule, Lefkovitz said.
Because some physician groups and hospitals use credit reports or furnish information to consumer reporting agencies as a regular aspect of business, Ryan feels those facilities would still qualify as creditors under the Red Flags Rule.
“There still may be healthcare providers out there that will come under the definition of a creditor,” Ryan said. “I think that healthcare providers should still review the act to determine whether they do meet the definition of creditor and still are required to comply by the beginning of next year.”
The FTC will begin enforcement of the rule either when the president signs the clarification bill or on the enforcement deadline of December 31, whichever comes first, Lefkovitz said.
While the American Hospital Associations believes the clarification act “clearly exempts hospitals from the Red Flags Rules,” organization spokeswoman Marie Watteau said the association is concerned that the FTC will try to use rulemaking to cover hospitals.
“Exempt creditor is defined broadly to include hospitals,” Watteau wrote in an e-mail. “But we remain concerned that the legislation offers a backdoor way for the FTC to determine that any otherwise exempt creditor, including a hospital, would still be subject to the Red Flags Rules because they ‘offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft.’”
AHA plans to closely follow the FTC’s rulemaking process, Watteau wrote.
Ryan advises healthcare providers to consult with their attorneys on whether their business practices meet the amended creditor definition.
“[You] still need to look at whether you think you fit into the definition of creditor,” Ryan said. “And if you do, then you need to have a policy and comply with the Red Flags Rule by the end of the year.”