The Federal Trade Commission (the “FTC”) has delayed enforcement of the Red Flags Rule until June 1, 2010. After three previous delays, the FTC was scheduled to begin enforcing the Red Flags Rule on November 1, 2009. However, in a statement posted on its website on October 30, 2009, the FTC announced that it will further delay enforcement of the Red Flags Rule at the request of members of Congress.
The Red Flags Rule requires financial institutions and creditors to adopt written identity theft prevention programs with respect to “covered accounts.” The Red Flags Rule defines a creditor as any person who: regularly extends, renews, or continues credit; regularly arranges for the extension, renewal, or continuation of credit; or is an assignee of an original creditor who participates in the decision to extend, renew, or continue credit. A “covered account” is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions or an account for which there is a foreseeable risk of identity theft.
The FTC has indicated that a health care provider is a creditor for purposes of the Red Flags Rule if the provider bills consumers after services are completed (including billing for the remainder of fees not covered by insurance), allows patients to set up payment plans after services are completed, or helps patients get credit from other sources.
Health care providers that are creditors under the Red Flags Rule must now have written identity theft prevention programs in place on or before June 1, 2010. These policies must identify relevant red flags of identity theft related to the covered accounts, establish policies and procedures by which the providers will detect and respond to such red flags, and ensure that the programs will be updated periodically to reflect changes in risks to the security of patients’ identities.
The FTC has issued a guide that entities may use in developing identity theft prevention programs, which is available here. However, entities should ensure that their policies are specifically tailored to their operations.
Additional Information
For more information on compliance with the Red Flags Rule, please contact a member of Benesch’s Health Care Department:
Harry M. Brown at 216.363.4606 or hbrown@beneschlaw.com
Janet K. Feldkamp at 614.223.9328 or jfeldkamp@beneschlaw.com
Alan E. Schabes at 216.363.4589 or aschabes@beneschlaw.com