Enforcement of "Red Flag" Rules Delayed Again

VHCA (7/30/2009)

As previously reported, the Red Flag Regulations that address consumer fraud and identify theft have three parts – with only the first two pertaining to health care providers. The first part, the address discrepancy portion of the Red Flag Regulations, applies to anyone who uses “consumer reports,” defined to include credit reports, and requires users of consumer reports to develop and implement reasonable policies and procedures to deal with an address mismatch.  The second part pertains to the detection, prevention and mitigation of identity theft in relation to covered accounts by “creditors or financial institutions.”  This second rule, referred to commonly as the “Red Flags Rule” is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft. 

These rules became effective November 1, 2008, but enforcement of the second rule was delayed until May 1, 2009 and again delayed to August 1, 2009.   It is now being delayed yet again to November 1, 2009.

In the press release, the Federal Trade Commission (FTC) indicates that in order to assist small businesses and other entities, the FTC staff will redouble efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

While the FTC guidance material may be of assistance to long term care facilities, please keep in mind that the American Health Care Association (AHCA) has developed guidance materials specifically for providers.  Please go to the AHCA website for their Identity Theft Tool Kit with explanations of the two rules that apply to LTC Facilities, a Reed Smith Memoranda with guidance for facility implementation of Rule #1 and two additional documents prepared by the LTC Consortium providing guidance on policy and procedures for Rule #2. 

AHCA is reviewing the new FTC guidance and will provide any additions or modifications to their guidance documents, if necessary. The FTC’s Red Flags website, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule.  It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.