- Health Care Providers are Exempt From the Red Flags Rule
- January 4, 2011
- Law Firm: Hinshaw & Culbertson LLP - Rockford Office
Under the Red Flag Program Clarification Act of 2010 (RFPCA), health care providers and other businesses that accept deferred payment for goods and services are exempt from being classified as “creditors” for purposes of the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act of 2003. Such entities and individuals therefore do not have to comply with the Federal Trade Commission’s (FTC’s) Red Flags Rule, which requires creditors to develop and implement written identity theft prevention programs. The RFPCA became effective on December 18, 2010.
A “creditor” under the RFPCA is any person or entity which regularly and in the ordinary course of business: (1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds, or repayable from specific property pledged by or on behalf of the person.
The application of the Red Flags Rule to certain professionals, including health care providers, accountants and attorneys, was controversial and led to the enactment of the RFPCA, which exempts from the definition of “creditor” any person or entity which “advances funds” under clause (3) above, but that does so “on behalf of a person for expenses incidental to a service provided by the creditor to that person.” Thus, a health care provider which provides medical services, but does not require payment in full at the time the service is rendered, is not a “creditor” for purposes of the Red Flags Rule, and therefore does not need to develop and implement written identity theft prevention programs designed to detect activities known as “red flags” that are signs of identity theft.
The FTC began enforcement of the Red Flags Rule against creditors on December 31, 2010. The enforcement deadline was delayed five times, with an original commencement date of November 1, 2008.