On July 29, 2009, just three days before the effective date of the "Red Flags Rule" (the "Rule"), the Federal Trade Commission ("FTC") announced that it would again delay enforcement of the Rule from August 1, 2009 until November 1, 2009. The FTC delayed enforcement to allow it to further educate small businesses and health care providers about the Rule and what they need to do to comply with its requirements. The FTC plans, in short order, to provide additional educational resources and compliance guidance, including a special link for small businesses and entities with a low risk of identity theft on its Red Flags Rule website (www.ftc.gov/redflagsrule). This is the third delay in enforcement of the Rule, which was originally to have begun on November 1, 2008.
The Rule implements certain sections of the Fair and Accurate Credit Transactions Act of 2003, and requires financial institutions and creditors with covered accounts to develop identity theft prevention programs that identify, detect, and mitigate identity theft. The term "creditor" is defined broadly and applies to any entity that regularly extends or renews credit. That includes all entities that regularly permit deferred payments for goods or services, such as health care entities that bill insurers and are not actually paid until after services are rendered.
In its July 29, 2009 announcement, the FTC stated that "[a]lthough many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small business and entities with a low risk of identity theft – remain uncertain about their obligations." The FTC hopes that the three-month extension combined with the new guidance materials will enable businesses to gain a better understanding of the Rule and their obligations under it. Further, the FTC believes that "these steps are consistent with the House Appropriations Committee's recent request that the [FTC] defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule on health care providers and small businesses with a low risk of identity theft problems."
Notably, on May 12, 2009, Rep. John Adler (D-N.J.) introduced H.R. 2345 to amend the Fair Credit Reporting Act so as to exclude health care practices with 20 or fewer employees from the scope of the Rule. The bill, which has 35 co-sponsors, was referred to the House Committee on Financial Services on May 12, 2009, and there has, to date, been no further action on it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
