Red Flags Rule and Identity Theft Prevention Programs

The Red Flags law requires creditors to have in place Identity Theft Prevention Programs. In light of recent changes in the Red Flags law, there seems to be some confusion as to whether healthcare providers are categorically excluded from the requirements of the law. While some commentators have espoused the belief that the Red Flags Clarification Act categorically exempts healthcare providers from the Red Flags Rule, that is not what the Act says, nor is that the position of the Federal Trade Commission (“FTC”). Rather, a case by case analysis is required to determine whether the law applies to a given healthcare provider.

Under the recent changes to the Red Flags laws, a “creditor” is defined to be one who: regularly and in the ordinary course of business obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction [essentially the deferment of payment of a debt, including payments in installments over time or while awaiting payment from insurers]; regularly and in the ordinary course of business furnishes information to consumer reporting agencies, as described in 15 U.S.C. §1681s–2, in connection with a credit transaction; or regularly and in the ordinary course of business advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

To the extent a healthcare provider does one or more of these activities, it could be a “creditor”who is required to adopt and implement a Red Flags Identity Theft Prevention Program under the law.

The above summary highlights key aspects of the law, but an in depth analysis is required in each situation. For example, whether or not there is a credit transaction must be examined in light of a healthcare provider’s practices and also whether the healthcare provider maintains “covered accounts” as defined under the law. Each element of the law must be examined in relation to the facts as they exist for a given healthcare provider. The risk, of course, is that some healthcare providers unknowingly may be engaging in activities that require the provider to have an Identity Theft Prevention Program in place, thereby opening the door to liability for not having such a program.