FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

Today is no longer the deadline for health care providers and other businesses regulated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to begin complying with the identity theft detection and prevention (“Red Flag Rules”) adopted by the Federal Trade Commission (“FTC”).   

While health care providers have more time to comply, they can’t breathe easy.  Finalizing arrangements to comply with these new mandates and other recent amendments to the health care privacy and data security requirements applicable to health care providers under recently enacted amendments to the Health Insurance Portability & Accountability Act (“HIPAA”) and FACTA and other recent regulatory and enforcement changes to these rules requires that health care providers move quickly.  Learn more about these recent changes at http://solutionslaw.wordpress.com/2009/04/18/hhs-ftc-release-guidance-on-hitech-act-data-breach-rules-for-hipaa-covered-entities-entities-dealing-with-personal-health-records.

The FTC announced yesterday (April 30, 2009) its extension of the Red Flag Rule enforcement date to until August 1, 2009.  Before yesterday’s announcement, health care providers and certain other FACTA-regulated businesses were required to comply with the Red Flag Rules today.  The announcment means these organizations now have an additional three months to adopt the necessary policies and processes to monitor and respond to possible identity theft required under the Red Flag Rules. 

According to the FTC announcement, organizations regulated by FACTA also will need to review their practices in light of additional guidance that the FTC expects to issue soon.  For entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC plans to  soon release a template to help them comply with the law.  Yesterday’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many  doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and  entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials was an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm.  The resources also included a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at CynthiaStamer.com.  If you need assistance with questions or compliance with these or other privacy and data security rules or other health law matters, contact Cynthia Marcotte Stamer at (214) 270.2402, or cstamer@cttlegal.com.  To receive future Solutions Law Press Health Care Updates, register to participate in this Solution Law Press Health Care Update blog, register at CynthiaStamer.com or join the SLP Health Care Risk Management & Operations Group on linkedin.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: