May 28, 2010 Update: FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule
At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.
"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. "As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”
The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors” and "financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as "red flags” – that could indicate identity theft.
The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.
The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm). The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.
As was the case previously, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2).
For questions regarding this Enforcement Policy, please contact Naomi Lefkovitz or Pavneet Singh, Bureau of Consumer Protection, 202-326-2252.
August 3, 2009 Update: Federal Trade Commission (FTC) Red Flags Rule Applies to Pedorthists - Implementation Deadline Extended Again to November 1, 2009
May 11, 2009 Update: Federal Trade Commission (FTC) Red Flags Rule Applies to Pedorthists - Implementation Deadline Extended to August 1, 2009
April 30, 2009 Update: Federal Trade Commission Red Flags Rule Currently Applies to Pedorthists
Effective August 1, 2009 many pedorthists and other healthcare providers will be required under a little-known federal law to help the government in detecting, preventing and mitigating "red flags" of identity theft. Businesses not in compliance may face a penalty of up to $2,500 for each "knowing violation".
The Federal Trade Commission (FTC) implemented so-called red flag rules that impose certain requirements on financial institutions and creditors to work to curtail the growing issue of consumer identity theft.
The rules originally were supposed to take effect November 1, 2008, but the FTC delayed them at the request of healthcare providers, arguing that the inclusion of healthcare providers is unintended. Discussions with the FTC concerning the necessity of taking healthcare providers out from under these rules continue. However, you need to be aware of what to expect if that does not succeed.
Pedorthists are subject to the red flag rules if they meet two qualifications:
The pedorthist is a creditor. Creditor is broadly defined as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."
For example, if a pedorthist renders services to a patient without taking full payment at the time of service but instead defers payment by billing the patient, the pedorthist is a creditor.
A more likely scenario for a pedorthist, though, is if the pedorthist renders services to a patient and accepts the patient's co-pay, the pedorthist is a creditor, regardless of whether the pedorthist receives payment from an insurance company. However, the acceptance of credit cards as a form of payment does not, in and of itself, make one a creditor.
Secondly, the pedorthist must offer or maintain covered accounts for patients.
Under the rules, a covered account is one where a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions, and any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft.
Additionally, the creditor must have a continuing relationship with the patient before the patient's account is considered a covered account. That means a one-time patient would not be considered as having a continuing relationship with the pedorthist.
In applying this definition to pedorthists, all patient accounts are offered for personal, family, or household purposes and all of these accounts contain personal identifying information for which there is a foreseeable risk of identity theft.
The definitions of a creditor and a continuing relationship are at the heart the argument between the FTC and organized medical groups. Medical associations argue that practitioners weren't named specifically in the rules, and that any business that bills after providing a service to a frequent customer would be subject to the rule, which was not the intent.
Under the red flag rules, pedorthists who are creditors who offer or maintain covered accounts are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft.
The FTC considers a red flag to be a "pattern, practice, or specific activity that indicates the possible existence of identity theft." At a minimum, the rules require rpolicies and procedures to:
- Identify relevant red flags and incorporate them into the program.
- Detect red flags in patient accounts.
- Respond appropriately to any red flags detected in patient accounts.
- Ensure the program is updated periodically to reflect changes in risks to patients, and the safety and soundness of the pedorthist from identity theft.
- Additionally, pedorthists must train staff to implement the program and exercise appropriate and effective oversight of it.
Many of the same safeguards that pedorthists use to meet HIPAA requirements overlap with the safeguards required to comply with the red flag rules. Personal Health Information (PHI) as defined by HIPAA is covered by the Red Flags Rule, but the rule also extends to credit card information; tax identification numbers such as Social Security numbers, business identification numbers and employer identification numbers; insurance claim information; and, background checks for employees and service providers. For additional information on the federal requirement, and how to comply, click here to download the FTC’s publication "Fighting Fraud with the Red Flags Rule – A How to Guide for Business.”
PFA continues to monitor the applicability of this regulation to healthcare providers and will keep you updated, especially if the Federal Trade Commission determines that the rule does not apply to healthcare providers.
Sample Policy for Pedorthists – Pedorthic Practice/Business Policies and Procedures for Identity Theft Prevention and Detection, and Compliance with Federal Trade Commission Red Flags Rule
FTC Identity Theft Affidavit by Patients/Clients Who Have Been Victims of Identity Theft
FTC publication "Fighting Fraud with the Red Flags Rule - A How to Guide for Businesses
The Red Flags Rule
FTC's Do It Yourself Template for Low Risk Businesses
Frequently Asked Questions About the Red Flags Rule (Note: clicking this link will send you to the FTC website. PFA is not responsible for the content contained on that site).
Getting Red Flags Ready Video (Note: clicking this link will send you to the FTC website. PFA is not responsible for the content contained on that site).
The Red Flags Rule: What Health Care Providers Need to Know About Compliance