FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

The Federal Trade Commission (FTC) and five other federal agencies yesterday (June 11, 2009) jointly issued a set of frequently asked questions (FAQs) about  federal regulations on the “Red Flags and Address Discrepancy Rules” (Red Flag Rules) implementing sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) now scheduled to take effect on August 1, 2009.  

Health care providers and a broad range of other entities are among the organizations generally required to comply with the broadly reaching Red Flag Rules, which require “financial institutions” and “creditors” to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address.  The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.  

The sweeping reach of the definition of “creditor: and “financial institutions” in the Red Flag Rules and other confusion about the Red Flag Rules have prompted the agencies to delay the deadline for compliance several times.  The most recent delay, which extended the compliance deadline from May 1 to August 1, 2009, was announced by the FTC on April 30, 2009.  The FTC promised to issue additional guidance to help promote better understanding of the rules when it announced this latest delay in the compliance deadline on April 30, 2009.

Fulfilling this promise, the FAQs discuss numerous aspects of the Red Flag Rules, including:

  • Types of entities and accounts covered;
    Establishment and administration of an Identity Theft Prevention Program;
  • Address validation requirements applicable to card issuers; and
  • Obligations of users of consumer reports upon receiving a notice of address discrepancy.

FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many  doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.  The FTC has made clear it perceives most health care providers as falling within the scope of these rules.

FACTA is only one of a growing list of the evolving privacy and data security mandates applicable to businesses under federal and state laws that organizations must address under applicable federal laws.   In addition to FACTA, most businesses also face other specific data security and data breach requirements under a tapestry of other federal and state laws which are constantly evolving.  In addition to these FACTA and other generally applicable data security and breach rules, many organizations face evolving industry specific mandates. For example, health care providers, health plans, health care and their business associates also are required to update their privacy and data security practices to comply with recent amendments to the Health Insurance Portability & Accountability Act Privacy & Security Standards signed into law February 17, 2009.

Many of these federal laws provide for both civil penalties as well as criminal penalties that bring violations of these regulations under the Federal Sentencing Guidelines.  As a consequence, most organizations need to implement and administer compliance programs to manage these Federal Sentencing Guideline risks.  Even where criminal sanctions are not triggered, noncompliance with these and other data security mandates can trigger substantial judgment awards, administrative penalties or both.

If you need assistance with auditing, updating, administering or defending your privacy, data security or other privacy and data security practices or addressing other health care compliance, risk management, transactions or operations concerns, please contact Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com.

For More Information

We hope that this information is useful to you. You can find more information about the Red Flag Rules and other privacy and identity theft matters at here. You also can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to CStamer@CTTLegal.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: