After nearly two years of enforcement delays, the FTC’s Red Flag Rules finally became effective as of December 31, 2010. However, due to the Red Flag Program Clarification Act, signed into law on December 18, 2010 (“Clarification Act”), most health care providers will not be subject to the Red Flag Rules.

The Clarification Act limits the scope of who must comply with the Red Flag Rules. By its terms, the Red Flag Rules apply only to “creditors.” Under the original Red Flag Rules, most health care providers were considered “creditors” because they do not receive payment in full from patients at the time they provide the health care services. The Clarification Act amends the definition of who is a “creditor” in an effort to exclude from compliance the entities considered to be subject to the Red Flag Rules simply because they do not receive payment in full at the time they provide their services.

While the Clarification Act appears to be great news for health care providers, there are a few points to note:

  • Certain providers will be considered “creditors” under the new definition, and therefore, each provider should review the new definition to determine whether it is a creditor subject to the Red Flag Rules. The Clarification Act defines a “creditor” as any person who:  
    1. regularly extends, renews or continues credit, and  
    2. regularly and in the ordinary course of business:  
      1. obtains or uses consumer reports in connection with a credit transaction;  
      2. furnishes information to consumer reporting agencies in connection with a credit transaction; or  
      3. advances funds to a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of such person, except that an entity that advances funds to a person for expenses incidental to a service provided to that person is not a creditor.  
  • Under the Clarification Act, the FTC also has discretion to apply the Red Flag Rules to any entity which offers or maintains accounts that the FTC believes are subject to a reasonably foreseeable risk of identity theft. While it is not certain at this point how the FTC will ultimately use this discretion, it would be surprising if the FTC exercised this discretion any time in the near future to require health care providers to comply with the Red Flag Rules.
  • Taking steps to minimize the risk of identity theft makes good business sense even if health care providers are not subject to compliance with the Red Flag Rules. Accordingly, those providers that already implemented a Red Flag Rules compliance program may consider continuing to follow that program to minimize the risk of identity theft to their patients.