Enforcement of Red Flag Rules Begins on December 31, 2010 — Health Care Providers and Organizations May Be Affected

As you may know, the FTC originally published the so-called Red Flag Rules (RFR) in October 2007 in an attempt to combat the risk of identity theft. These rules require any entity defined as a “creditor” to institute an identity theft prevention program.

Originally, the RFR defined “creditor” very broadly and included businesses or organizations that provide goods or services first and allow customers to pay later. This definition encompassed many types of businesses that are not generally considered creditors, such as physician practices, nursing homes, personal care homes, assisted living facilities and hospitals. After many delays, the enforcement date for the RFR is set for December 31, 2010, but it now appears as if select health care providers and organizations may not be as deeply affected as originally suspected.

Late in the day, December 8, 2010, the US House of Representatives passed a Senate Bill which significantly narrows the scope of the businesses that will be considered creditors under the RFR. The amended definition of creditor in this Bill excludes an organization “that advances funds on behalf of a person for expenses incidental to a service provided by the [organization] to that person.” This change is intended to have the effect of excluding businesses that bill for services after the services have been provided, especially professional services providers, such as physicians and health care facilities.

However, health care providers and organizations that may appear to now be excluded under the above language need to be careful not to jump to conclusions. All businesses that provide services prior to requesting payment should examine their overall business practices because if they perform any of the activities outlined below, they will still be considered a creditor under the RFR and be subject to its requirements.

  • Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction
  • Furnish information to consumer reporting agencies in connection with a credit transaction
  • Advance funds to or on behalf of a person, based on an obligation of that person to repay the funds or repayable from specific property pledged by or on behalf of the person

A failure to implement an identity theft prevention program by a creditor under the RFR definition may be subject to monetary penalties and civil suits by consumers.

For More Information

If you need assistance determining whether your organization is an RFR creditor under this amendment or what must be included in an identity theft prevention program, please contact Paul H. Schieber at 610.205.6040 or your Stevens & Lee attorney.

This News Alert has been prepared for informational purposes only and should not be construed as, and does not constitute, legal advice on any specific matter. For more information, please see the disclaimer.