Last year, the Federal Trade Commission (FTC) and five federal banking regulators jointly published regulations addressing the obligations of “financial institutions” and “creditors” to prevent identity theft.[1] Called the “Red Flag Rule,” the regulations take effect November 1, 2008.

On October 22, 2008, the FTC announced that it will suspend enforcement of the obligation to implement the identity theft prevention program portion of the Red Flag Rule until May 1, 2009. All other aspects of the Red Flag Rule remain effective and enforceable as of November 1, 2008.[2]

There is uncertainty and confusion whether the Red Flag Rule applies to health insurers. It appears unlikely that the Red Flag Rule applies to a health insurer’s core businesses of insuring and administering health benefits. A health insurer does not hold consumer “transaction accounts” or extend “credit”—the activities that would make a health insurer a “financial institution” or a “creditor” as defined by the Red Flag Rule—when insuring or administering health benefits in the individual or group markets.

Health insurers may, however, engage in business activities that use “consumer reports,” hold consumer “transaction accounts,” or extend “credit”—the activities to which the Red Flag Rule applies. We issue this Bulletin to set out an analytical framework for health insurers to assess whether they are conducting such activities and, therefore, may be subject to the Red Flag Rule.

Using this analytical framework, each health insurer should examine its activities—now and periodically hereafter—to determine—and document—whether any is covered by the Red Flag Rule. That way, a health insurer will be prepared to demonstrate either why it is not obligated to comply with the Red Flag Rule or how it has complied with the Red Flag Rule.

Application of the Red Flag Rule to Health Insurers

Only the FTC’s Red Flag Rule, published in 16 C.F.R. Part 681, can apply to health insurers, as the five federal banking regulators issuing a Red Flag Rule have no jurisdiction over state-licensed insurers. The FTC has jurisdiction over health insurers to the extent they are subject to the Federal Trade Commission Act and enforces the Red Flag Rule with respect to individuals and entities subject to the Federal Trade Commission Act.

The FTC has not addressed the circumstances in which the Red Flag Rule may apply to health insurers or their activities. Consequently, health insurers must parse through the definitions and requirements of the Red Flag Rule to assess whether they engage in activities that may subject them to the Red Flag Rule.

The Red Flag Rule’s Consumer Report Address

Discrepancy Requirements (16 C.F.R. § 681.1)

(FTC enforcement effective November 1, 2008) The Red Flag Rule imposes requirements on “users of consumer reports” to respond to address discrepancy “red flags” in consumer reports as one means to prevent identity theft.[3] A health insurer can be a user of consumer reports, for example, by requesting them in conjunction with underwriting individual policies.

The Red Flag Rule requires a user of consumer reports to implement “reasonable” policies and procedures to enable the user “to form a reasonable belief” whether a consumer report pertains to the consumer for whom the consumer report was requested. The user must follow these policies and procedures whenever it receives notice from a consumer reporting agency[4]of a discrepancy between the consumer’s address on file with the consumer reporting agency and the consumer’s address furnished by the user in requesting the consumer report.

The user must further have “reasonable” policies and procedures for furnishing the consumer reporting agency, which provided the notice of address discrepancy, with the consumer’s address that the user has “reasonably confirmed” is accurate, if the user (a) has a continuing relationship with the consumer, (b) regularly and in the ordinary course of business furnishes information to the consumer reporting agency that provided the notice of address discrepancy, and (c) has a “reasonable belief” that the consumer report relates to the consumer about whom the consumer report was requested. These policies and procedures must provide that the user will furnish the consumer’s address “reasonably confirmed” to be accurate to the consumer reporting agency “as part of the information [the user] regularly furnishes for the reporting period in which [the user] establishes a relationship with the consumer.”

A health insurer should determine if it uses consumer reports. If it does, the health insurer is obligated to develop and implement policies and procedures to manage address discrepancies in consumer reports in accordance with the Red Flag Rule’s requirements.

The Red Flag Rule’s Identity Theft Prevention

Program Requirements (16 C.F.R. § 681.2)

(FTC enforcement delayed until May 1, 2009)

The Red Flag Rule imposes requirements on “financial institutions” and “creditors” to determine if they have “covered accounts.” “Financial institutions” and “creditors” that have “covered accounts” must develop and implement an identity theft prevention program to protect their “covered accounts” from identity theft “red flags”—patterns, practices, or specific activities that indicate the possible existence of identity theft.

A health insurer must, thus, qualify as either a “financial institution” or a “creditor”—as defined by the Red Flag Rule—to be obligated to determine if it has “covered accounts” that must be protected by an identity theft prevention program.

“Financial Institution.” A “financial institution” is a “State or National bank, a State or Federal savings and loan association, a mutual savings bank, [or] a State or Federal credit union.” A health insurer is none of these.

A “financial institution” is also an individual or entity that, directly or indirectly, “holds”—has custody of—“a transaction account . . . belonging to a consumer.” A “consumer” means an individual (i.e., a human being). Hence, holding a “transaction account” of an employer or other entity that is a corporation, limited liability company, partnership, association, trust, or other legal entity cannot make a health insurer a financial institution under the Red Flag Rule. Rather, a health insurer must have custody of a transaction account belonging to a consumer, such as an individual policyholder or an enrollee in a group health plan, to be a financial institution under the Red Flag Rule.

“Transaction Account.” A “transaction account” is “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.” Examples of “transaction accounts” are “demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.”

A health insurer needs to examine its arrangements with its individual policyholders and the enrollees in the group health plans it insures or administers to determine whether any results in the health insurer directly or indirectly having custody of transaction accounts belonging to consumers. Health insurers do not generally have custody of consumer transaction accounts, as health insurers are not usually chartered or otherwise qualified to engage in depository banking activities. Certain consumer-directed health benefits arrangements, such as health savings accounts, flexible spending arrangements and health reimbursement arrangements, could, however, be considered transaction accounts.

Health Savings Accounts. The Internal Revenue Code § 223(d) defines a health savings account (HSA) as “a trust created or organized . . . exclusively for the purpose of paying the qualified medical expenses of the account beneficiary.” The “account beneficiary” is the “individual” for whom the HSA is established. Hence, an HSA belongs to an individual and is designed to permit the individual to make withdrawals to pay others (as well as reimburse the individual) for incurred qualifying medical expenses. That makes an HSA a transaction account belonging to a consumer.

The Internal Revenue Code allows the “trustee” that holds an HSA to be “an insurance company.” Hence, a health insurer can hold—have custody of—HSAs. Such a health insurer is a financial institution under the Red Flag Rule.

Flexible Spending Arrangements and Health Reimbursement Arrangements. A flexible spending arrangement (FSA) is defined by Internal Revenue Code § 106(c)(2) as “a benefit program which provides employees with coverage under which specified incurred expenses may be reimbursed.” A health reimbursement arrangement (HRA) is characterized in Internal Revenue Code § 1203(f)(2) as “employer-provided coverage under an accident or health plan.” Revenue Ruling 2002-41, accordingly, defines an HRA as “an employer-provided accident and health plan used exclusively to reimburse expenses incurred for medical care.”

These definitions indicate that FSAs and HRAs are not transaction accounts belonging to consumers; they are, instead, an employer’s “benefit program” or “health plan” providing “coverage” that reimburses employees for their incurred qualifying medical expenses. Nonetheless, FSAs and HRAs could be construed to be transaction accounts belonging to consumers on the grounds that, once established, employees are permitted to withdraw funds from the FSAs or HRAs to cover incurred qualifying medical expenses.

There are, however, several problems with this construction of FSAs and HRAs. First, the funds in FSAs and HRAs belong to the employer, not employees—the employer must dispense FSA or HRA funds only upon employees’ presentation of evidence of qualified medical expenses incurred, and any funds not dispensed for qualified medical expenses incurred remain the employer’s property. Second, the employer, not employees, is the “depositor” and the “account holder” with the depository institution that the employer selects to hold FSA or HRA funds. Third, the employer’s disbursements from FSAs and HRAs are reimbursement to employees for qualifying medical expenses already incurred, not “payments or transfers to third parties or others” (unless the employer allows employees to direct payment to providers or other third parties). Finally, even if FSAs and HRAs were deemed to be transaction accounts belonging to consumers, it is unclear that a health insurer’s administration of FSAs and HRAs means that the health insurer holds—has custody of—the FSAs and HRAs for purposes of the Red Flag Rule.

“Creditor.” A “creditor” is an individual or entity that “regularly” extends, renews or continues, or arranges for the extension, renewal or continuation of, credit, or that is the assignee of an original creditor who participates in the decision to extend, renew or continue credit. “Credit” is the “right” a creditor grants to a debtor “to defer payment of debt or to incur debts and defer [their] payment or to purchase property or services and defer payment therefor.”

Unlike the definition of financial institution, the definition of creditor does not limit a creditor to dealing with consumers. Hence, “regularly” granting the “right” to business entities or consumers to elect to incur debt by deferring payment due can make a health insurer a creditor under the Red Flag Rule.

Accordingly, a health insurer needs to determine whether it “regularly” grants any of its business or consumer customers the “right” to incur debt by deferring payments due. Neither the Red Flag Rule nor the FTC in guidance has defined “regularly” or “right” in the context of extending “credit.” Logically, to “regularly” grant the “right” to customers to incur debt by deferring payments due, a health insurer would have to make known to its customers the terms under which the customers may elect to incur debt by deferring payments due. Case-by-case accommodations of certain customers with unique circumstances and cure periods for payment defaults seem insufficient to be “regularly” granting the “right” for customers to elect to incur debt by deferring payments due.

Examples of activities that may be considered granting the “right” to incur debt by deferring payments due, which, if done “regularly,” would make a health insurer a creditor under the Red Flag Rule, include a health insurer regularly granting its individual or group policyholders the right to elect to spread over time premiums, administrative service fees or other financial obligations due. Less clear is whether a health insurer whose policies provide, or are required to provide, to its individual or group policyholders a “grace period,” during which coverage continues notwithstanding failure to pay premium due, is an extension of credit, rather than a brief period for a policyholder to cure a payment default and avoid losing coverage. If viewed as payment default cure periods, “grace periods” should not be sufficient to make a health insurer a creditor under the Red Flag Rule.

“Covered Accounts.” Every financial institution or creditor must “periodically determine whether it offers or maintains covered accounts.” As part of this determination, the financial institution or creditor must conduct a “risk assessment” to identify whether its “covered accounts” present a “reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” This risk assessment must take into consideration (a) how accounts are opened, (b) how accounts are accessed, and (c) previous experience with identity theft.

  • “Account.” An “account” is a “continuing relationship established” by an individual or entity with a financial institution or creditor to “obtain a product or service for personal, family, household or business purposes.” Individuals and group health plan sponsors “establish” such “continuing relationships” with the health insurer from which they obtain the “product or service” of health benefits insurance or administration for their “personal, family, household, or business purposes.” A health insurer thus has “accounts” with the individuals and group health plan sponsors whose health benefits it insures or administers.
  • “Covered Account.” A continuing relationship becomes a “covered account,” which triggers the requirement for a financial institution or creditor to develop and implement an identity theft prevention program, if the customer’s relationship with the financial institution or creditor satisfies either of the following:
    • Risk of Identity Theft. A customer relationship is a covered account if it presents a “reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Thus, a health insurer, otherwise qualified as a financial institution or creditor under the Red Flag Rule, must determine whether its customer relationships in the individual and group markets face “reasonably foreseeable risk” from identity theft. Those customer relationships that do must be protected by an identity theft prevention program.
    • Primarily for Personal, Family or Household Purposes. A customer relationship is a covered account if it is established “primarily for personal, family or household purposes, [and] involves or is designed to permit multiple payments or transactions.” Individual Policyholders. A health insurer’s relationships with individual policyholders appear to be covered accounts. These relationships are established to obtain health insurance primarily for the individuals’ personal, family or household purposes, are designed to permit multiple transactions to pay for health benefits, and are continuing for the term of the policy. Hence, a health insurer, otherwise qualified as a financial institution or creditor under the Red Flag Rule, must protect its individual policyholders with an identity theft prevention program.
    • Sponsors of Group Health Plans. It is unclear whether a health insurer’s relationships with sponsors of group health plans it insures or administers are covered accounts based on their being primarily for personal, family or household purposes (rather than based on risk of identity theft). Although these relationships are continuing and designed to permit multiple transactions to pay health benefits for the group health plans’ enrollees, it is not clear that sponsors establish them for the enrollees’ personal, family or household purposes or for the sponsor’s business purposes. If the latter, a health insurer’s relationships with group health plan sponsors would not qualify as covered accounts. If the former, a health insurer would appear to have a covered account with each group health plan enrollee, which the health insurer would be required to protect with an identity theft prevention program if the health insurer were otherwise a financial institution or creditor under the Red Flag Rule.
    • Health Savings Accounts. An HSA appears to be a covered account—it is primarily for the personal, family or household purposes of the account beneficiary and is designed to permit the account beneficiary to make multiple payments for incurred qualifying medical expenses. Hence, a health insurer that holds HSAs (and is thus a financial institution under the Red Flag Rule) must protect those HSAs with an identity theft prevention program.
    • Flexible Spending Arrangements and Health Reimbursement Arrangements. Besides the uncertainty whether FSAs and HRAs are consumer transaction accounts, there is uncertainty whether FSAs and HRAs are covered accounts based on their being primarily for personal, family or household purposes (rather than based on risk of identity theft). If these arrangements were construed as established by employers primarily for their employees’ personal, family, or household purposes, rather than for the employers’ business purposes, FSAs and HRAs would be covered accounts.

Identity Theft Prevention Program. A health insurer that qualifies as a financial institution or creditor under the Red Flag Rule and has covered accounts must develop and implement a written identity theft prevention program. The program must be “designed to detect, prevent, and mitigate identity theft” in connection with the covered accounts, and include “reasonable” policies and procedures to identify, detect, and respond to identity theft “red flags.”

The identity theft prevention program must be updated periodically “to reflect changes in risks to customers and to the safety and soundness of the [health insurer] from identity theft.” The program must (a) be approved by the health insurer’s board of directors (or an appropriate board committee), (b) involve the health insurer’s board of directors (or an appropriate board committee) or a designated senior manager in development, implementation, administration and oversight, (c) include staff training to ensure effective implementation, and (d) institute effective oversight of service provider arrangements.

The Red Flag Rule’s Debit and Credit Card

Change of Address Protections (16 C.F.R. § 681.3)

(FTC enforcement effective November 1, 2008)

A health insurer that qualifies as a financial institution or creditor under the Red Flag Rule and issues consumers debit or credit cards is required to establish and implement “reasonable policies and procedures to assess the validity of a change of address” regarding the consumer’s debit or credit card account. The health insurer must apply these policies and procedures if, “within a short period of time” after receipt of a change of address notice (to be no shorter than the first 30 days following receipt of the change of address notice), the health insurer receives “a request for an additional or replacement card for the same account.”

No additional or replacement card may be issued in these situations until the health insurer has either (a) given the consumer holding the debit or credit card a reasonable means of promptly reporting discrepancies to the health insurer, after the health insurer notifies the consumer, at the consumer’s former address or by other communications to which the health insurer and the consumer have previously agreed, of the request for the additional or replacement card, or (b) otherwise assessed the validity of the change of address in accordance with its identity theft prevention program.