In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.
In our prior post, Gabriel Helmer and I discussed the scope of the Red Flag Rules and how the FTC has come under fire for broadly interpreting the term “creditor” to include any entity that regularly accepts payment after it delivers goods or services to its customers. In particular, we discussed a letter (.pdf) from the American Medical Association (AMA) to the FTC chairman challenging the FTC’s application of these regulations to the healthcare industry.
Recently, the FTC has responded (.pdf) to the AMA by articulating the legal support for its interpretation. In its response, the FTC unambiguously endorses the broad construction of the term “creditor” to include any and all entities that regularly permit payment after the provision of goods or services — “even [if only] in the normal course of a traditional billing process.” The FTC claims this broad reading is necessary to deter identify theft because “[i]dentity thieves look for opportunities to obtain produces or services that do not require payment up-front.” (emphasis added).
The FTC, with unusual frankness, emphasizes that no industry is exempt as a “creditor” because the definition of “creditor” is “activity-based, not industry based.” In other words, the test of whether you are a “creditor” does not depend on what goods or services you provide, but on the way you bill your clients. The FTC also pulls no punches when identifying potential “creditors,” listing a wide range of industries and businesses, including physicians, lawyers, merchants, repair persons, and even “a local store where a customer runs up a tab.”
The FTC primarily supports this interpretation with commentary from the Federal Reserve Board on parallel regulations: "[i]f a service provider (such as hospital, doctor, lawyer or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for the purposes of the regulation, even though there is no finance charge and no agreement for payment in installments." While this commentary has some appeal, the FTC seems unable to find direct support in court decisions and only cites a judicial aside ("obiter dicta") from the district court in Barney v. Holzer Clinic, Ltd., 902 F.Supp. 139 (S.D. Ohio 1995) — a case in which the healthcare provider was ultimately held not to be a "creditor." The FTC also attempts to distinguish Reithman v. Berry and Shaumyan v. Sidetex Co., the two appellate court decisions cited by the AMA. All in all, the FTC letter contains an extended explanation of the FTC’s posiiton, but legal scholars will find the FTC letter devoid of any substantive court decision or controlling legal precedent that justifies applying the FTC’s broad interpretation of "creditor" to most businesses.
While the FTC’s position may be unyielding with respect to which entities are covered by the Rules, the FTC does appear to be taking a softer approach with respect to compliance. "We are, of course, sensitive to the concern that the Rule requirements could be burdensome for health care providers, potentially leading to unintended costs for consumers." The FTC’s letter suggests that the Red Flag Rules are highly flexible with respect to what security measures are required. According to the FTC, covered entities should design identity theft prevention programs commensurate to their level of risk: “high risk entities would tend to have more elaborate [Identity Theft Prevention] Programs, while low risk entities could have streamlined and less complex Programs.” The FTC lists several security measures that healthcare providers should consider:
- checking photo identification at the time a patient seeks healthcare services,
- placing a "hold" on efforts to collect debts when notified that a patient’s identity has been stolen,
- not reporting fraudulent transactions to credit reporting agencies, and
- maintaining information about a known identity thief separately from the records of the original patient.
The FTC thus continues to maintain its position with respect to the broad scope of the Red Flags Rules and its attempt to push the healthcare industry, among others, to develop risk-based information security programs.
- The February 4, 2009 letter sent by the FTC to the AMA is available here (.pdf).
- The September 30, 2008 letter sent by the AMA to the FTC chairman is available here (.pdf) or from the AMA’s website here (.pdf).