Healthcare: Senate Passes "Red Flag Program Clarification Act" Aimed at Exempting Healthcare Providers
Late on November 30, 2010, the U.S. Senate passed S. 3987, which amends the definition of the term "creditor" for purposes of the FTC's Red Flag Rules. The FTC originally developed the Rules requiring "creditors" that have "covered accounts" to develop and implement written identity theft programs. The definition of the word "creditor" was intentionally made broad and was originally intended to include health care providers based on the FTC's stance that medical identify theft poses a growing and especially dangerous risk.
In the wake of political pressure and a frenzy of legal attacks by organizations such as the American Medical Association and the American Bar Association, the Senate passed a bill specifically excluding from the definition of "creditor" persons who "advance funds" by providing services in advance of receiving payment. This provision is aimed at specifically exempting physicians and other businesses who accept payment after providing services.
The bill does, however, include language permitting relevant government agencies to designate "creditors" subject to the Rules where the agencies determine that the person in question maintains accounts that are subject to a reasonably foreseeable risk of identity theft. Designations of this kind must be made through agency rule-making. While it is unclear at this time exactly what the implications of this "designation clause" are, it is possible that certain classes of health care providers, if they maintain accounts in such a way that an agency believes subjects the entity to a reasonable foreseeable risk of identity theft, could yet be subject to the Red Flag Rules.
It therefore appears that the even if the "Clarification Act" is passed into law, the FTC could still find that healthcare providers "maintain accounts . . . subject to a reasonably foreseeable risk of identity theft." Though the FTC has faced much scrutiny in its attempts to define "creditors" so broadly, the agency is correct that identity theft in the healthcare industry is a real and growing concern, and healthcare providers would be advised to seek the aid of counsel in reviewing its policies and developing safeguards in the event it is faced with an instance of identity theft.
The author, James R. Bullard, may be contacted at firstname.lastname@example.org