Red Flags and Health Departments Revisited — Again
On December 7, Congress gave final approval to the Red Flag Program Clarification Act of 2010. The bill is still awaiting the President’s signature, but his approval is expected. Meanwhile, various health care provider organizations have issued news releases proclaiming victory in the long battle to exempt health care providers from the federal Red Flags rule. But will the Clarification Act really exempt health care providers from the rule? I think the ultimate answer is more likely to be yes than no, but I’m hedging because on this point the “clarification” is not as clear as one might have hoped.
The term “Red Flags rule” refers to a set of federal regulations that (among other things) require certain businesses and governmental entities to develop identity theft prevention programs. Such programs must include procedures for detecting red flags–that is, activities, practices or patterns that could indicate an instance of identity theft. My colleague Kara Millonzi described the rules in detail in an October 2009 blog post, and I wrote specifically about their application to North Carolina local health departments in a separate post.
The rule became effective January 1, 2008 but enforcement of the portion requiring identity theft prevention programs has been delayed five times. Enforcement by the Federal Trade Commission (FTC) is now scheduled to begin on January 1, 2011. When the fifth delay was announced, the FTC explained that the purpose of the extension was to permit Congress to consider legislation that could affect which entities were covered by the rule. Although the FTC didn’t mention it, the agency may also have been influenced by lawsuits filed by various groups claiming the FTC had overreached its authority by extending the rule’s coverage to professional service providers such as attorneys or physicians.
What created all this hullabaloo? The Red Flags rule applies to “creditors,” a term that is defined to include entities who regularly extend, renew, or continue credit. The FTC concluded this term included health care providers and other professional service providers who allow clients to receive services now and pay for them later.
Several professional groups objected early and fiercely to the FTC’s conclusion. Congress appeared poised to act on those objections in October 2009, when the U.S. House approved a bill (HR 3763) that would have provided a clear exemption from the Red Flags rule for health care, accounting, or legal practices with twenty or fewer employees. However, that bill was never acted upon by the Senate.
The Clarification Act approved by Congress last week (S 3987) also addresses the scope of the definition of “creditor,” but it does not specifically refer to health care providers or any other category of professional service provider. Instead, it provides an exclusion from the definition of creditor for entities “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
What does this mean for health care providers? Some health care provider organizations promptly took the position that it means they are exempt from the Red Flags rule–see, for example, statements by the American Medical Association and the American Academy of Family Physicians. They may be correct. The Congressional Record provides support for the idea that legislators who voted for the Clarification Act intended to let health care providers off the red flags hook.
But the Clarification Act also includes a provision that may permit the FTC to make entities that otherwise meet the definition of creditor subject to the Red Flags rule, “based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.” Because of this provision, some commentators have expressed concern that the FTC may conclude at least some health care providers still fall under the rule, especially given that the FTC has in the past expressed particular concern about medical identity theft. (You can read an example of this line of reasoning here.) The FTC itself has not yet given any clues to how it may interpret this authority — its sole public comment on the Clarification Act is brief and does not mention implementation plans.
What does this mean for North Carolina’s local health departments? I think it’s likely they’ll end up not having to comply with the Red Flags rule, but I’m not ready to state that as a final conclusion. For now, I think it would be wise for health departments to hold on to the identity theft prevention programs that most of them have already prepared, and await more information from the FTC regarding which entities they believe the Clarification Act exempted from the rule. I would hope and expect that FTC guidance will come soon, given that enforcement is scheduled to begin January 1 (and now that Congress has acted, I wouldn’t count on a sixth delay in enforcement).