FTC Again Postpones Enforcement of Red Flags Rule

29 July 2009 Publication
Author(s): Gary D. Koch

Legal News Alert: Health Care

On July 29, 2009, the Federal Trade Commission (FTC) announced another delay in the enforcement date of the so-called “Red Flags Rule” (the Rule). The FTC indicated that enforcement of the Rule is now postponed until November 1, 2009. The Rule was originally scheduled to be enforced on November 1, 2008, but the enforcement date was postponed to May 1, 2009, and then until August 1, 2009. The new delay will give creditors who are subject to the Rule an additional three months to come into compliance. It also leaves open the possibility that new legislation or changes in the Rule will narrow its scope or reduce the burdens of compliance.

The most recent delay in the Rule’s enforcement date followed reports that the American Bar Association (ABA) and other groups are continuing to press the FTC and the U.S. Congress to exempt their constituencies. The House Appropriations Committee also asked the FTC to defer enforcement and to make additional efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems.

The Rule requires “creditors,” defined as any entity that regularly extends or renews credit, to develop and implement written identity theft programs. The FTC interprets the Rule as applicable to all entities that regularly permit deferred payment for goods or services, which includes most health care providers as well as lawyers and other service providers. The American Medical Association and other provider groups, along with the ABA and representatives of other industries, have asserted that Congress did not intend the legislation giving rise to the Rule, the Fair and Accurate Credit Transactions Act of 2003, to be construed so broadly. These groups have lobbied the FTC and Congress to either create exemptions or to narrow the definition of “creditor” so that they would not be covered.

In its press release announcing the postponement, the FTC also stated that it “will redouble its efforts to educate” small businesses and other entities “about compliance with the Red Flags Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” The FTC has established a Web site with resources designed to help entities determine if they are covered and, if so, assist them in complying with the Rule. The Web site includes an online compliance template that enables companies that are at low risk for identity theft to design their own written identity theft programs through an easy-to-use form. The Web site also includes articles directed to specific businesses, including health care providers, a guidance manual, and frequently asked questions (FAQs) to help companies navigate the rule. The FAQs indicate that FTC staff would be unlikely to recommend bringing a law enforcement action against entities that know their customers as clients individually, or operate in sectors of the economy where identity theft is rare and which have not themselves been the target of identity theft.

The FTC’s announcement of the current delay does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance date for financial institutions and other entities subject to their oversight.


Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:

Michael Scarano
San Diego/Del Mar, California

Lisa J. Acevedo
Chicago, Illinois

Jennifer G. Karron
Milwaukee, Wisconsin

Gary D. Koch, M.D.
Tampa, Florida

Andrew B. Serwin
San Diego/Del Mar, California

J. Mark Waxman
Boston, Massachusetts