The Federal Trade Commission (FTC) announced on October 22, 2008 that it would delay enforcement of the new "Red Flags Rule" until May 1, 2009, an extension from the original November 1, 2008 date. This six-month delay was announced last week in an effort to provide entities to whom the Red Flags Rule applies some much needed time to develop and implement required identity theft prevention programs.
Among other things, the Red Flags Rule requires organizations that regularly extend credit or defer payment for services to consumers to establish a written program for preventing identity theft, as well as detecting and responding to warning signs of such theft. (Health care providers are considered "creditors" under the Red Flags Rule if they defer payments for health care services through payment plans or billing patients for insurance deductibles.)
The Red Flags Rule was released almost a year ago as regulations implementing new provisions of the Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003. The FCRA is enforced by the FTC, which provided some outreach and training to organizations on the Red Flags Rule requirements during the course of the year. However, many health care organizations, including health care providers, have only recently become aware of the Red Flags Rule, certainly not in time to have an identity theft prevention program in place by the November 1, 2008 deadline. The new May 1, 2009 enforcement date gives health care providers and other types of organizations needing clarification of the broad reach and scope of the Red Flags Rule the opportunity to receive relevant, industry-specific guidance from the FTC.
Since many health care organizations, most particularly health care providers, are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), they have objected to being deemed to be "creditors" for purposes of the Red Flags Rule. Fortunately, it would appear that a Red Flags identity theft prevention program should be able to build upon HIPAA privacy and security compliance plans.
It should be noted that -- unlike the Red Flags Rule, for which the enforcement deadline was extended to May 1, 2009 -- another portion of the FCRA relating to identity theft, the Address Discrepancy Rule, still has a November 1, 2008 enforcement date. The Address Discrepancy Rule requires a creditor who obtains a credit report to develop and implement policies and procedures concerning situations in which a credit report has an address that differs from the one provided by the individual.
Penalties for failure to comply with the Red Flags Rule and/or the Address Discrepancy Rule can be stiff. Enforcement actions brought by the FTC typically include a requirement that the organization in question adopt a prescribed set of security controls and retain an outside auditor every two years over a period of 10 or 20 years. In addition, when breaches occur, state attorneys general may also become involved under various state laws and regulations.