Obama Signs Red Flags Exemptions Bill

Physicians, Attorneys, Many Hospitals No Longer Must Comply
Obama Signs Red Flags Exemptions Bill
President Obama on Saturday signed legislation that exempts certain businesses, including physician practices and apparently most hospitals, from the Identity Theft Red Flags Rule.

The Red Flags exemption law more narrowly defines the term "creditor" so that, in effect, far fewer organizations must comply with the rule.

Sens. John Thune, R-S.D., and Mark Begich, D-Alaska, introduced the measure, S 3987.

Red Flags Exemptions

The legislation "makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services..." according to a colloquy in support of the bill from Sen. Christopher Dodd, D-Conn.

The Federal Trade Commission had previously postponed enforcement of the Red Flags Rule several times. Organizations representing attorneys and physicians had filed lawsuits to block the FTC from applying the rule to these professionals.

Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft. The rule applies, for example, to banks and federally-chartered credit unions, which are examined for Red Flags compliance by their federal regulators.

The rule still applies to state-chartered credit unions, says Anthony DeMangone, director of regulatory compliance at the National Association of Federal Credit Unions. "The bill doesn't affect state chartered credit unions at all," he says. "They'll have to comply when the latest FTC extension expires, which is the end of this year."

Red Flags Compliance

Under the new exemption law, creditors that must comply with the Red Flags rule would no longer include those who "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."

Creditors that must comply are those that obtain and use consumer reports in connection with a credit transaction and furnish information to consumer reporting agencies. Also included are so-called payday loan companies that don't necessarily use consumer reports, according to a staffer for Begich.

"Any other type of creditor may only be covered through a rulemaking based upon an agency's determination that these type of creditors offer or maintain accounts that pose a reasonably foreseeable risk of identity theft," Thune said in the colloquy.

Don Asmonga, government relations manager for the American Health Information Management Association, said the bill apparently would exempt most hospitals as well as physicians. He said he interprets the bill's language to mean "If a hospital does not regularly request credit reports, then they would be exempt from the Red Flags Rule."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.