Red Flag Rule Relief For Health Care Providers, Lawyers & Other Service Providers Awaits President’s Signature

Congress has approved and sent to the President for signature legislation exempting doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers that allow customers to pay for their services and supplies over time from the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). 

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC).  Under current FTC regulations set to take effect December 31, 2010, health care providers, attorneys, consultants or other service providers become covered creditors simply by allowing customers finance and pay charges to the service provider over time. 

Yesterday (December 7, 2010), the House of Representatives by voice vote passed H.R. 6420, the “Red Flag Program Clarification Act of 2010.:  Like the Senate version of the Bill, S. 3987, passed by the Senate on November 30, 2010, the Red Flag Program Clarification Act (“Act”) is intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients when they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

Assuming the President signs the Act into law, the Red Flag Rule’s definition of “creditor” generally would continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft.   However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” will be expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

The Act’s passage follows a multi-year battle by health care providers and other professional services providers to reverse the FTC’s interpretation of the Red Flag Rules as applicable to service providers that allow customers and clients to pay for services and supplies over time.  The outcry about the FTC’s interpretation of the scope of the rules and the perceived cost and complexity of their provisions lead the FTC to delay implementation several times.  See e.g., Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required. The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA).  See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While when signed into law the Act will the technical burdens that health care providers and other service industry businesses by exempting them from FACTA’s Red Flag Rules, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns.  Even after the President signs the Act into law, however, health industry and other businesses still may face contractual obligations to continue to comply with many of its mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements.  Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider seeking the removal of contract amendments to remove provisions incorporated into contracts solely in anticipation of Red Flag Rules mandates to the extent this limited relief permits.  Since the relief granted under the terms of the statute is quite narrow and limited, however, organizations should review carefully their operations to verify that their operations do not encompass other activities that would cause them to continue to qualify as creditors for purposes of the Red Flag Rules to avoid compliance exposures from over-estimating the scope of relief.

For More Information or Assistance

If you need assistance evaluating or responding the health industry or other privacy and data security concerns or other technology and process, compliance, risk management, transactional, operational, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872,

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising physicians, hospitals and other health industry clients about quality assurance, peer review, licensing and discipline, and other medical staff performance matters.  She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients, as well as other businesses, on privacy, data security, trade secret and related matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care staffing and human resources, compensation and benefits, technology, medical staff, public policy, reimbursement, privacy, technology, and other health and managed care industry regulatory, and other operations and risk management concerns for medical societies and staffs, hospitals, the HCCA, American Bar Association, American Health Lawyers Association and many other health industry groups and symposia.  Her highly popular and information packed programs include many highly regarded publications on HIPAA, FACTA, medical confidentiality, state identity theft and privacy and other many other related matters.  Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

For More Information

We hope that this information is useful to you.  You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here.  If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources.  If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. For important information concerning this communication click here.  .

©2010 Cynthia Marcotte Stamer. Limited license to reprint granted to Solutions Law Press.  All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: