Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required

May 1, 2009

Today is no longer the deadline for health care providers and other businesses regulated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to begin complying with the identity theft detection and prevention (“Red Flag Rules”) adopted by the Federal Trade Commission (“FTC”).

While health care providers have more time to comply, they can’t breathe easy.  Finalizing arrangements to comply with these new mandates and other recent amendments to the health care privacy and data security requirements applicable to health care providers under recently enacted amendments to the Health Insurance Portability & Accountability Act (“HIPAA”) and FACTA and other recent regulatory and enforcement changes to these rules requires that health care providers move quickly.  Learn more about these recent changes here.

The FTC announced yesterday (April 30, 2009) its extension of the Red Flag Rule enforcement date to until August 1, 2009.  Before yesterday’s announcement, health care providers and other FACTA-regulated businesses were required to comply with the Red Flag Rules today.  The announcement means these organizations now have an additional three months to adopt the necessary policies and processes to monitor and respond to possible identity theft required under the Red Flag Rules.

According to the FTC announcement, organizations regulated by FACTA also will need to review their practices in light of additional guidance that the FTC expects to issue soon.  For entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC plans soon to release a template to help them comply with the law.  Yesterday’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many  doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule.

For assistance in reviewing and updating your privacy and data security practices or addressing other health care compliance and risk management policies, practices or programs, assessing the strength of your controls in addressing these laws or other healthcare laws and regulations, or in addressing other compliance or health care concerns, please contact Cynthia Marcotte Stamer at cstamer@CTTLegal.com or (214) 270- 2402.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at CynthiaStamer.com.  If you need assistance with questions or compliance with these or other privacy and data security rules or other health law matters, contact Cynthia Marcotte Stamer at (214) 270.2402, or cstamer@cttlegal.com.

For More Information

We hope that this information is useful to you. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 270-2402 or via e-mail to cstamer@CTTLegal.com.

 
You can review other recent updates and other publications by Ms. Stamer and other helpful health care resources and additional information about Ms. Stamer and her experience, see Stamer Health Industry Experience. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here or by registering to participate in the Solutions Law Press Health Care Update blog at Health Care Update Blog or by joining the join the SLP Health Care Risk Management & Operations Group on linkedin.com. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

Advertisement