July 22, 2009

FTC to Begin Enforcement of Identity Theft Rules on August 1, 2009; Many Healthcare Providers Will Be Required to Comply

Holland & Knight Alert
Maximillian J. Bodoin

Under Red Flags Rules, Covered Entities (Including Non-Profit Organizations) Must Implement a Red Flags Compliance Program

On January 1, 2008, the Federal Trade Commission and five other governmental agencies jointly issued the Identity Theft Red Flags and Address Discrepancy Rules (the Rules). Under the Rules, financial institutions and creditors that maintain certain kinds of “covered accounts” must develop and implement a written program to detect and respond to possible incidents of identity theft. The current deadline for implementation of the Rules is August 1, 2009.

On their face, the Rules appear primarily to regulate financial institutions; but, they actually affect a much broader group of businesses and organizations. In an Enforcement Policy Statement, the FTC noted that “any person that provides a product or service for which the consumer pays after delivery is a creditor” and is subject to the Rules. For example, FTC staff attorneys have told several different groups – including the American Medical Association, the American Hospital Association and the American Bar Association – that physicians, hospitals and other health care providers are “creditors” under the Red Flag Rules if they do not require full payment at the time their services are rendered.

Creditors With “Covered Accounts” Must Implement a Red Flags Program

If an entity qualifies as a “creditor,” it must determine whether it maintains “covered accounts” for its customers. Under the Rules, a covered account is one that is (i) offered or maintained “primarily for personal, family, or household purposes, that permit[s] multiple payments or transactions,” or (ii) any other account offered or maintained by an entity where there is a reasonable risk of identity theft. Any creditor that maintains “covered accounts” must implement a Red Flags Compliance Program before August 1, 2009.

FTC Twice Delays Enforcement to Give Entities More Time to Implement a Program

On October 22, 2008, the FTC announced that it would suspend enforcement of the Red Flags Rules for six months. The FTC stated that, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the [original] November 1 [2008] compliance date, the Commission believes that immediate enforcement of the rule would be neither equitable for the covered entities nor beneficial to the public. . . . Delaying Commission enforcement…will allow these entities to take the appropriate care and consideration in developing and implementing their programs.”

On April 30, 2009, the FTC again announced that it would suspend enforcement of the Red Flags Rules, this time for three months, until August 1, 2009. Chairman Jon Leibowitz said:

Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associates to share guidance with their members…and give Congress time to consider the issue further.

No further extensions are expected.

The following are answers to some frequently asked questions about the Red Flags Rules:

Q: I think my entity qualifies as a creditor with “covered accounts.” What should I do?

A: If you think your entity may fall under the Rules, it is recommended that you implement a Red Flags Compliance Program. This is because non-compliance with the Rules can result in penalties from the FTC of up to $3,500 per individual violation. More importantly, a Red Flags Compliance Program is an excellent “best practice” tool that will help protect your patients from the growing threat of identity theft.

Q: How do I develop a Red Flags Compliance Program?

A: A Red Flags Compliance Program is comprised of (i) a set of written policies, and (ii) a set of procedures designed to detect and respond to certain Red Flags. A Red Flag is a pattern, practice or suspicious activity that may indicate that Identity Theft is taking place. In developing a program, each entity should compile a list of Red Flags that relate to its business operations, develop procedures for detecting those Red Flags and outline a process for appropriately responding when a Red Flag is detected.

The Rules are relatively flexible and allow each entity to tailor its program to reflect the size, scope and sophistication of its operations. If your business operations are relatively simple, your Red Flags Compliance Program similarly may be simple. The entity’s board of directors (or senior staff member(s), if the entity does not have a board) must approve the initial program and the entity periodically must review and update the program.

Q: Where can I get more information?

A: Holland & Knight can provide guidance on the Red Flags Rules and assist you with all issues pertaining to the requirements of a compliance program, or help you to develop a program. The firm has held a web-based seminar to discuss the Rules and to provide information about creating a Red Flags Compliance Program. You can view the seminar at http://webinars.hklaw.com/p43275407.

Related Insights