By Laird Pisto*
October 24, 2008
The Federal Trade Commission (FTC) announced on Wednesday,
October 22, 2008, that it was delaying enforcement of key elements of its identity theft detection, prevention, and mitigation rules, also known as the "Red Flag Rules," to allow "creditors" and financial institutions additional time to fully implement policies and procedures designed to thwart identity theft. The Red Flag Rules will be applicable, in many circumstances, to both for-profit and not-for-profit healthcare providers.
The FTC stated that "some industries and entities within the FTC's jurisdiction have expressed confusion and uncertainty about their coverage under the rule." Recent outreach by the FTC to the healthcare industry and the industry's response suggests that the applicability of the Red Flag Rules to healthcare enterprises has been less than obvious to many.
In its Enforcement Policy Statement, the FTC noted that "Given the confusion and uncertainty within major industries under the FTC's jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial to the public."
Duties regarding the detection, prevention, and mitigation of identity theft, codified as 16 CFR § 681.2, now will become enforceable on
May 1, 2009, a six-month reprieve from the original enforcement deadline of November 1, 2008. Healthcare providers subject to enforcement by the FTC (under Section 681.2) now have an additional 180 days to develop policies, implement procedures, and train their staff on the implications of the Red Flag Rules.
This week's announcement does not delay the November 1, 2008, enforcement date for companion provisions within the Red Flag Rules
(16 CFR § 681.1, pertaining to duties of users of consumer reports who encounter address discrepancies, and 16 CFR § 681.3, pertaining to duties of card issuers pertaining to changes of address).
Access the full FTC press release. Readers should note the embedded Enforcement Policy Statement.
The FTC's Red Flag Rules are promulgated under authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amended the Fair Credit Reporting Act (FRCA), all of which is codified at 15 USC § 1681, Pub. Law 108-159, 117 STAT. 1952. Appendix A to the Red Flag Rules contains a number of specific guidelines designed to assist in detecting, preventing, and mitigating identity theft. See Appendix A to Part 681-Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation at 16 CFR Part 681.
*The Health Information and Technology Practice Group would like to thank Laird Pisto (MultiCare Health System, Tacoma, WA) for writing this alert.