Identity Theft and the FTC’s Red Flags Rule

FTC Red Flags Alert Rule

Update: In a voice vote today, December 7, 2010, the House passed the Red Flag Program Clarification Act of 2010. The Act now goes to President Obama for signing.

On November 30, 2010, the U.S. Senate passed legislation that could exempt health care providers from the FTC’s Red Flag Rule. The Red Flag Program Clarification Act of 2010 amends the Fair Credit Reporting Act with regard to the applicability of identity theft guidelines to creditors. Under the amendment, a “creditor” will “not include a creditor . . . that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” There is an identical companion bill before the House, which is expected to pass.  The Clarification Act may lift an impending compliance burden on businesses that do not collect payment for services at the time services are rendered, where there is no reasonably foreseeable risk of identify theft.

In colloquy supporting the legislation, Sen. Christopher Dodd, D-Conn., stated that the legislation “makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably forseeable risk of identity theft.”  The Clarification Act, however, vests discretion with the FTC to determine that a creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.  If the Clarification Act takes effect as presently worded, will such discretion swallow the exemption?  We’ll have to wait and see.  For an earlier discussion of the potential impact of the Red Flag Rule on health care providers, see the June 15, 2009 post to the HITECH Law Blog.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.