FTC Grants Reprieve: Health Care Companies Prepare
The Federal Trade Commission announced October 22, 2008 that it would delay enforcement of the new Red Flag Identity Theft Rules (rules that require organizations to spot and protect against the red flags that can be signs of potential identity theft), pushing the compliance deadline from November 1, 2008 to May 1, 2009.1 Under these rules, certain companies must identify and detect identity theft red flags, develop written programs to prevent and mitigate identity theft, and update their programs on a regular basis. The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
The primary reason for the delayed enforcement is the high degree of confusion and uncertainty among employers and across major industries as to whether they are subject to the rules. Since many employers learned only recently of the requirements of the rules and their potential applicability, the FTC correctly recognized that there is insufficient time for such companies to develop programs in time for the November 1st deadline.
Many in the health care industry have been surprised to learn that they may be subject to these rules. The Red Flag Identity Theft Rules apply to every "financial institution" and to any "creditor" that offers or maintains one or more "covered accounts." Covered accounts, in turn, are defined as:
(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The FTC is mainly responsible for overseeing "creditors" rather than traditional banking and financial institutions, and the majority of the confusion stems from the question of who in fact is a "creditor" for purposes of these rules. According to the rules, the term creditor is defined in the same way as in the Equal Credit Opportunity Act ("ECOA"), namely those who regularly:
- Extend, renew or continue credit;
- Arrange for someone else to extend, renew or continue credit; or
- Are the assignee of a creditor who is involved in the decision to extend, renew or continue credit.
However, the FTC has taken this a step further and claimed that "any person that provides a product or service for which the consumer pays after delivery is a creditor." FTC Announcement, October 22, 2008. Particularly with respect to health care providers, the FTC has stated that:
- Health care providers are creditors if they bill consumers after their services are completed; or
- Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees.
In addition, the Preamble to the Red Flag Identity Theft Rules suggests a concern about health care data: "[f]or instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services), and therefore, must identify Red Flags that reflect this risk." 72 Fed. Reg. 63718, 63727 (Nov. 9, 2007).
However, simply accepting credit cards will not render a health care provider a "creditor." While the FTC has not issued similar guidance for health insurance carriers and HMOs, it is possible that these organizations may also be considered creditors.
At least one court has taken the position that allowing a client to pay fees sometime after the services are rendered does not render the entity a "creditor" under the ECOA. Reithman v. Berry, 287 F.3 rd 274, 277 (3rd Cir. 2002). The court explained that the hallmark of credit under the ECOA is the right of one party to make deferred payment and found that a law firm's continued provision of legal services to half of its clients after their bills became due did not render the firm a "creditor." The court went on to state, in dicta, that the plaintiff's view of the ECOA would "embrace doctor's fees, dentists' fee, accountants' fees, psychologists' fees and virtually all other professional fees" and rejected that view, stating that it was "implausible that Congress intended to cover not only banks and other financial institutions but also all professions." Id. At 278.
So the question remains: is a health care provider or health insurance carrier/HMO a creditor subject to the Red Flag Rules or not? The FTC has promised to issue further guidance, but provides no anticipated timeframe for issuing that guidance.
In the meantime, every organization, whether or not a health care provider or health insurance carrier/HMO, should be evaluating security programs and incident response plans to determine whether they are meeting the current industry standard, and more importantly whether their programs will be effective in combating not only identity theft, but data loss of any kind.
1 The delay in enforcement does not apply to the rules concerning address discrepancies applicable to users of consumer reports (16 C.F.R. § 681.1) and the rule regarding changes of address applicable to card issuers (16 C.F.R. § 681.3). Depending on a health insurance carrier or HMO's particular circumstances, one or both of these requirements may be applicable.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.