Health Care Providers Exempt From Red Flags
Congress passes legislation clarifying definition of "creditor."
By Peter W. Crownfield, Executive Editor
After delaying enforcement of the Red Flags rule for more than two years while debating which entities should be covered under the rule and thus required to develop and implement identity theft protection protocols, Congress has passed legislation that clarifies the definition of "creditor" in the rule's language.
In so doing, doctors of chiropractic and other health care providers are now effectively exempt from complying with the rule. The Red Flag Clarification Act of 2010 (S.3987) passed the Senate on Nov. 30, 2010 and the House of Representatives followed suit on Dec. 7, three weeks before the Jan. 1, 2011 deadline for enforcement of the rule. President Obama signed the legislation into law on Dec. 18, 2010.
Creditors, as described in the Nov. 9, 2007 Federal Register, which published details of the rule when it was announced, were originally defined as organizations or other entities ("financial institutions or creditors") that "offer or maintain covered accounts ... A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft."
While S.3987 does not specifically mention doctors of chiropractic or other health care practitioners, the key language from the amended text appears to be the following: "Excludes from the definition of creditor ... any creditor that advances funds on behalf of a person for expenses incidental to a service the creditor provides to that person."
red flag The Red Flags rule was originally scheduled to take effect Nov. 1, 2008, but pressure from Congress and various health care organizations, including the American Chiropractic Association, led the FTC to delay enforcement of the rule five times; first for six months (until May 1, 2009), then until Aug. 1, 2009, then Nov. 1, 2009, June 1, 2010, and finally Jan. 1, 2011. The initial delays were intended to give health care providers and other "creditors" more time to develop and implement identity theft protocols; then to allow time for Congress to decide whether health care practices/practitioners should be exempt from the rule altogether.
While few will argue that protecting customers from identity theft is important, who should bear the responsibility for that protection is another issue altogether. Concerns were raised after the rule was announced that, among other considerations, credit-card companies / banks are the true creditors, not the business / practice that accepts credit as payment for services rendered.
The Red Flag Clarification Act of 2010 appears to exempt not just health care providers, but also other entities previously required to comply with the rule who now meet the exemption criteria as defined in the amended text. Nearly 30 organizations supported passage of the legislation including the ACA, the American Medical Association and the American Bar Association.
In commentary widely quoted online, Sen. Christopher Dodd, D-Conn., chair of the Senate Banking Committee, said the legislation "makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably foreseeable risk of identity theft."