On May 28, 2010, William H. Maruca, editor of this blog, reported in a post entitled Red Flag Reprieve – Déjà vu All Over Again that, under pressure from Congress, the Federal Trade Commission (“FTC”) had agreed to postpone enforcement of its “Red Flags Rule” until January 1, 2011.  


On June 1, 2010, an article in The National Law Journal  discussed the  postponement insofar as enforcement of the Red Flags Rule by the FTC against doctors, lawyers, and other professionals would require them to develop written identity theft prevention programs.  The article further noted that the postponement followed separate lawsuits by the American Bar Association and the American Medical Association and other physician associations on behalf of their respective professionals against the FTC, arguing that imposing the identity theft rule requirements on their members is arbitrary, capricious and has no legally supportable basis.  The article quoted FTC Chairman Jon Leibowitz as stating that Congress needs to clarify and fix problems in the application of the Red Flags Rule quickly to permit the FTC to carry out its enforcement obligations.


“Financial Institutions” and “creditors” with “covered accounts” are governed by the Red Flags Rule.  Therefore, a physician, other healthcare provider or lawyer could be subject to the Red Flags Rule if any activities meet the definition of a creditor with a covered account.  This broad definition essentially includes anyone who bills after providing services or allows patients or clients to defer payment.  One could be deemed a creditor simply because it allows a patient or client to defer payment for medical or legal services rendered. 


The “final” Red Flags Rule was promulgated by the FTC as long ago as November 9, 2007 under the Fair and Accurate Credit Transaction Act of 2003.  The original compliance date for the Red Flags Rule was November 1, 2008.  However, because many healthcare providers and professionals were unaware of or uncertain as to whether the requirements of the Red Flags Rule applied to them, the FTC delayed the initial enforcement date to May 1, 2009.


Discussions and correspondence between the healthcare sector and the FTC to clarify whether health care providers, such as physicians and other providers such as hospitals, must comply with the Red Flags Rule followed.  As a result of those discussions and the subsequent lawsuits discussed above, the FTC suspended enforcement of the Red Flag Rule multiple times, with the most recent enforcement deadline date being postponed to January 1, 2011.


Significant changes with respect to the application of the Red Flags Rule may be on the horizon for the healthcare industry.  It is not clear that Congress will act or, if it does, that the legislation will clearly define the applicability of the Red Flags Rule to a specific type of healthcare provider. Providers should keep apprised of developments that may affect them.