Think you are Exempt from the Red Flags Rule? … Don’t Take Your Red Flags Down So Fast.
Prepared by Krystyna Nowik, Esq.
Health care providers and the Identity Theft Red Flags and Address Discrepancies Final Rule (“Red Flags Rule”) have had a drawn-out and bumpy history together. Considerable uncertainty with regard to what entities were or should be considered creditors within the meaning of the Red Flags Rule resulted in multiple delays in the effective date and several legal challenges to the Red Flags Rule (e.g., the American Bar Association (ABA) and its applicability to attorneys and the American Medical Association (AMA) and its applicability to physicians).
On December 18, 2010, the Red Flag Program Clarification Act was passed for the sole purpose of narrowing the definition of creditor and providing some clarification as to what entities would be subject to the Red Flags Rule. The Red Flag Program Clarification Act does not explicitly exclude physicians, hospitals or other types of professionals or entities who had challenged the Red Flags Rule applicability. However, it revises the definition of creditor to mean:
(1) a creditor as defined by section 702 of the ECOA (e.g., any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit) that regularly and in the ordinary course of business:
a. obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
b. furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; OR
c. advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
(2) that does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; AND
(3) includes any other type of creditor…as the agency…may determine appropriate…based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Under this new definition, attorneys and other entities will not be considered a creditor for purposes of the Red Flags Rule. Additionally, many physicians and hospitals may not be subject to the Red Flags Rule. However, the exemption does NOT necessarily let all health care providers off the hook.
Entities will still need to look at whether they “regularly and in the ordinary course of business” obtain or use consumer reports or furnish information to consumer reporting agencies as well as whether they are advancing funds that will need to be repaid by the person. This potentially means that hospitals or physician groups that routinely submit information on non-paying patients to collection agencies which in turn submit such information to a credit reporting agency WILL be subject to the Red Flag Rules.
In addition, further guidance is likely to be issued by the FTC regarding the applicability of the new creditor definition and other types of creditors with regard to “reasonably foreseeable risk”. Additionally, no guidance is provided by the Red Flag Program Clarification Act as to what “regularly and in the ordinary course of business” means. However, although the American Hospital Association believes hospitals are clearly exempt from the Red Flags Rule by the new definition, hospitals who engage in billing and collection practices should be prepared to comply as of January 1, 2011 in the event such activities would qualify the hospital as a “creditor” or in the event the FTC through rulemaking expressly covers hospitals under the “reasonably foreseeable risk” of identity theft provision.
In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent potential harm to the victim. When dealing with medical identity theft, the stakes can be much more than just financial loss — it can potentially cost a person their health, or life. Where multiple providers are connected through and HIO and engaging in HIE, the risks and harm resulting from identity theft may be multiplied. Therefore, irrespective of whether a provider is or is not directly subject to the FTC assessing penalties for noncompliance, implementing a Identity Theft Prevention Program is a good idea from the standpoint of risk management, and patient care.
For a great video on Medical Identity Theft, watch this news report from CBS3. For more information about the Red Flags Rule, click “Continue Reading” below.
CONTINUE READING
The Identity Theft Red Flags and Address Discrepancies Final Rule (“Red Flags Rule”) was issued November 2008 under the Fair and Accurate Credit Transactions Act of 2003. It required “creditors” and “financial institutions” to establish identity theft prevention programs in order to identify and resolve identity theft in connection with “covered accounts”.
The Red Flags Rule requires establishment of a written identity theft program with reasonable policies and procedures to address risk of identity theft to the financial institution or creditor’s customers and to the safety and soundness of the financial institution or creditor. The program must identify and detect “red flags” as well as prevent and mitigate identity theft in connection with covered accounts and comply with the Red Flags Rule in form and format as appropriate to the size, complexity and nature of the financial institution or creditor’s activities.
The Red Flags Rule incorporates the Equal Credit Opportunity Act (ECOA) definition of creditor, which includes:
- any person who regularly extends, renews, or continues credit;
- any person who regularly arranges for the extension, renewal, or continuation of credit; or
- any assignee of an original creditor who participates in the decision to extend, renew or continue credit.
Under the position taken by the FTC, this broad definition includes health care providers and hospitals. For example, a hospital or physician who provides health care services to a person and then defers payment to a later date would involve “credit” and as such, would be considered a creditor within the meaning of the Red Flags Rule. Likewise, a hospital that bills an insurance company and then bills the patient for any remaining unpaid amounts would also be considered a creditor. As a letter addressed to the American Medical Association by the FTC noted,
Because credit under the ECOA involves any simple deferral of payment, even if there are no finance charges or installment payments, the ECOA applies to many transactions when the consumer pays after receiving the goods or services, such as doctor and hospital bills….(internal citation omitted).
In addition, the Red Flags Rule only applies to the opening or maintenance of a covered account, which is defined as:
an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designated to permit multiple payments or transactions or any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial operation, compliance, reputation or litigation risks.
Providers in New Jersey should also note that the New Jersey Identity Theft Prevention Act (ITPA) imposes additional State law requirements. Thus, providers in the State of New Jersey ideally should develop a program including not only the Red Flags Rule, but also the NJ-ITPA. For additional information regarding State-specific guidance, contact helen@oscislaw.com.
