The Red Flag Program Clarification Act of 2010 (S. 3987) has now been passed by both the Senate and House and awaits signing by the President. It appears to relieve health care providers from classification as creditors under the Red Flag Program and thus not subject to the mandated processes, procedures and enforcement connected with such classification. However, as explained below, further clarification from the Federal Trade Commission (FTC) pertaining to health care providers may be needed.
AHCA had met with the FTC and adamantly opposed the classification of skilled nursing facilities (SNFs) as creditors due to the predominance of Medicare, Medicaid and insurance as the payers for the services. We will continue to oppose such classification.
The Red Flag Program Clarification Act of 2010 (S. 3987) narrows the scope of those creditors who are required to comply with the Identity Theft Red Flags Rule. The bi-partisan bill was introduced to the House after being unanimously passed by the Senate a week earlier.
The overall regulations in question have three parts, only the first two of which pertained to the health care industry. (16 C.F.R. § 681.1) The first part of the tri-partite rule, the address discrepancy portion of the regulations, applies to anyone who uses “consumer reports,” defined to include credit reports, and requires users of consumer reports to develop and implement reasonable policies and procedures to deal with an address mismatch.
The second part pertains to the detection, prevention and mitigation of identity theft in relation to covered accounts by “creditors or financial institutions.” These rules became effective November 1, 2008, but enforcement of the second rule -- the Red Flags Rule -- was delayed until December 31, 2010 at the request of Congress, while they considered legislation that would affect the scope of the entities covered.
II. Address Discrepancy Rule Unchanged
The first part of the rule – the Address Discrepancy Rule -- appears to remain intact and still applicable to SNFs. The Address Discrepancy portion of the Red Flag Regulations (16 C.F.R. §681.1) requires users of consumer reports (e.g., for employment or admissions purposes) to develop and implement reasonable policies and procedures to deal with an address mismatch. The FTC has interpreted this requirement as only applying to notices of address discrepancies on consumer reports, also known as credit reports, issued by nationwide consumer reporting agencies (“CRAs”), as defined in Section 603(p) of the Fair Credit Reporting act (“FCRA”). To date, the FTC staff has stated there are only three such nationwide CRAs: Experian, TransUnion and Equifax. Therefore, as a practical matter, notices of address discrepancy on consumer reports issued by the “big three” entities (directly or through intermediaries) are the reports that the FTC staff believes are currently subject to this rule.
Further, the obligation to conduct address verification only applies to a user of the consumer report that has received a “notice of address discrepancy” from one of the three nationwide CRAs. In other words, in the FTC staff’s view, users of consumer reports, such as nursing homes, assisted living facilities or other health care entities, that may use consumer reports for employment or admissions purposes, are only technically required to perform the address verification upon receiving such an express “notice of address discrepancy.” Organizations using consumer reports must have policies and procedures to allow them to form a “reasonable belief” as to whether the report pertains to the person about whom they requested the report. Additionally, users of consumer reports who enter into or have a continuing relationship with the applicant and who “regularly and in the ordinary course of business” furnish information to the CRA from which they received the notice, must report a reasonably confirmed address to that agency when there is an address discrepancy.
III. The Red Flags Rule -- Second Part of the Tripartite Rule May Relieve SNFs of Classification as Creditors
The critical issue is whether or not under the new amendment to the law SNFs are no longer governed by the second part of the regulation, the Red Flags Rule (16 C.F.R. § 681.2). The Rule currently defines the term "creditor" as follows: "[A]ny person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. 1681a.
S. 3987 now defines "creditor" as anyone who falls under the definition above and regularly (i) obtains or uses consumer reports in connection with a credit transaction; (ii) furnishes information to consumer reporting agencies in connection with a credit transaction; or (iii) advances funds to a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. Most notably, exempted from the definition are those creditors that "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."
Christopher Dodd (D-Conn.), said that the bill makes clear that "lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably foreseeable risk of identity theft."
The bill does, however, include language permitting relevant government agencies to classify as "creditors” those entities that maintain accounts that are subject to a reasonably foreseeable risk of identity theft. Designations must be made through agency rule making. The FTC in prior communications has noted that the program included health care providers because it believes medical identity theft (wherein an individual steals another's health insurance information, for example) poses a growing and especially dangerous risk. It remains to be seen whether the agency, even assuming signing into law, will find that healthcare providers "maintain accounts...subject to a reasonably foreseeable risk of identity theft."