President Signs Long-Sought Red Flag Rule Exemption Into Law

Allowing customers or clients to pay for services and supplies over time will not cause doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers to be required to comply with the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) after all.   President Obama earlier today (December 9, 2010) signed into law the “Red Flag Program Clarification Act of 2010 (S. 3987/H.R. 6420) (Act), which exempts businesses engaging in these limited financing transactions from the obligation to comply with the Red Flag Rule’s identity theft monitoring and prevention requirements.

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC).  Before the Act became law today, FTC regulations set to take effect December 31, 2010 construed health care providers, attorneys, consultants or other service providers as covered creditors simply if they allowed customers finance and pay charges to the service provider over time.  Despite widespread outcry over this interpretation, efforts to overturn this interpretation had proven unsuccessful until recent weeks.

The Act intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

As amended by the Act, the Red Flag Rule’s definition of “creditor” generally will continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft.   However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” now is expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

The Act’s passage follows a multi-year battle by health care providers and other professional services providers to reverse the FTC’s interpretation of the Red Flag Rules as applicable to service providers that allow customers and clients to pay for services and supplies over time.  The outcry about the FTC’s interpretation of the scope of the rules and the perceived cost and complexity of their provisions lead the FTC to delay implementation several times.  See e.g., Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required.

Congressional action to overturn the interpretation took wings beginning in November.  After the Senate passed S. 3987, on November 30, 2010, the House of Representatives acted quickly to send the Act to the President for signature by approving H.R. 6420 on December 7. 

The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA).  See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While the Act exempts these limited transactions from the Red Flag Rules, businesses should avoid underestimating the scope of relief provided.  Even with the new exemption, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns.  Unless they take action to reform contracts and policies, health industry and other services covered by the new exemption generally may face contractual obligations to continue to comply with many of the Red Flag Rule mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements.  Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider revising contracts and policies to remove or adjust provisions incorporated solely in anticipation of Red Flag Rules mandates.  Health care providers and other businesses that fail to take these and other appropriate steps to clean up their contracts and procedures risks unnecessarily obligating themselves to continue to comply with rules despite their exemption from these legal mandates.

For More Information or Assistance

If you need assistance evaluating or responding the health industry or other privacy and data security concerns or other technology and process, compliance, risk management, transactional, operational, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872,

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising physicians, hospitals and other health industry clients about quality assurance, peer review, licensing and discipline, and other medical staff performance matters.  She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients, as well as other businesses, on privacy, data security, trade secret and related matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care staffing and human resources, compensation and benefits, technology, medical staff, public policy, reimbursement, privacy, technology, and other health and managed care industry regulatory, and other operations and risk management concerns for medical societies and staffs, hospitals, the HCCA, American Bar Association, American Health Lawyers Association and many other health industry groups and symposia.  Her highly popular and information packed programs include many highly regarded publications on HIPAA, FACTA, medical confidentiality, state identity theft and privacy and other many other related matters.  Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

For More Information

We hope that this information is useful to you.  You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources.  If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here. For important information concerning this communication click here.

©2010 Cynthia Marcotte Stamer. Limited license to reprint granted to Solutions Law Press.  All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: