U.S. Court of Appeals Validates Red Flag Exemptions

09 March 2011 Publication
Authors: Chanley T. Howell Megan O. Curran

Legal News Alert: Privacy, Security & Information Management

On March 4, 2011, the U.S. Court of Appeals for the District of Columbia ruled that a case brought by the American Bar Association was rendered moot by The Red Flag Program Clarification Act of 2010.1 This decision further validates that attorneys and physicians are exempted from the Red Flags Rule.

The Red Flags Rule, which became effective in January 2008, requires financial institutions and creditors to implement and maintain programs to protect consumers from identity theft. Due to public confusion, in April 2009 the FTC issued an Extended Enforcement Policy (Policy), explaining that “professionals, such as lawyers or health care providers, who bill their clients after services are rendered” would be considered “creditors” under the Red Flags Rule and thus subject to the Red Flags Rule’s requirement of implementation of identity theft programs.2

The American Bar Association (ABA) filed suit in district court challenging the Policy, stating that the Policy was unlawful absent a “clear statement from Congress” authorizing federal regulation over the practice of law.3 The district court agreed with the ABA and enjoined the FTC from enforcing the Red Flags Rule against lawyers.4 The American Medical Association (AMA) joined with others and filed a similar suit seeking to exempt physicians from the Policy as well.

Oral arguments on the ABA case were heard on November 15, 2010 at the circuit court. However, shortly after oral arguments, Congress passed the Red Flag Program Clarification Act of 2010 (Clarification), which was signed into law by President Obama on December 18, 2010. The Clarification expressly revised the definition of “creditor” to make clear that in order to qualify as a creditor under the Red Flags Rule, “one must not only regularly extend, renew, or continue credit under § 1691(a)(e), but also must also ‘regularly and in the ordinary course of business’ (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment.”5

Soon after the Clarification, Don Asmonga, government relations manager for the American Health Information Management Association, stated that the Clarification means that those hospitals that do not regularly request credit reports for credit transactions are exempt from the Red Flags Rule.6

In light of the Clarification, the circuit court ruled that the ABA case was moot.7 The court stated that the portions of the Clarification that were the subject of the ABA’s complaint “have been effectively vitiated by the Clarification.”8 Additionally, the court said that the provisions of the Policy relating to lawyers and health care providers are no longer viable.9

As a result of the determination by the circuit court, the AMA announced that it had officially dropped its lawsuit as well.

Although the circuit court noted that the FTC might promulgate new rules to attempt to regulate lawyers or physicians, for the time being, neither lawyers nor physicians must comply with the Red Flags Rule. 


1 American Bar Association v. Federal Trade Commission, No. 10-5057 (D.C. 2011)

2 FTC Extended Enforcement Policy: Identity Theft Red Flags Rule, 16 CFR 681.1 at 1 n.3 (Apr. 30, 2009).

3 American Bar Association, No. 10-5057. 

4 Id.

5 Id.

6 Howard Anderson, Court Validates Red Flags Exemptions, Healthcare Info Security (2011) (http://tinyurl.com/4krjen9).

7 American Bar Association, No. 10-5057

8 Id.

9 Id.


Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

Contacts

Andrew B. Serwin
San Diego, California
858.847.6728
aserwin@foley.com

Peter F. McLaughlin
Boston, Massachusetts
617.502.3265
pmclaughlin@foley.com

Chanley T. Howell
Jacksonville, Florida
904.359.8745
chowell@foley.com

Megan E. O’Sullivan
San Diego, California
858.847.6737
mosullivan@foley.com

Insights

Bad Holiday Season News! Estimates of an increase of Cyberattacks 20%!
13 December 2019
Internet, IT & e-Discovery Blog
Driving the Future of Automotive Technology
12 December 2019
Manufacturing Industry Advisor
Massachusetts Governor Proposes Facility Fee Ban
12 December 2019
Health Care Law Today
American Rule Prevails; PTO May Not Collect In-House Attorneys' Fees as "Expenses"
12 December 2019
IP Litigation Current
ACCC 46th Annual Meeting & Cancer Center Business Summit
04-05 March 2020
Washington, D.C.
Foley/Deloitte Compliance and Privacy Officer Roundtable
27 February 2020
Boston, MA
Let’s Talk Compliance
24 January 2020
Orlando, FL
New England Alliance Annual Meeting
15-17 January 2020
Woodstock, VT