In the first case to discuss the Red Flag Program Clarification Act of 2010 (“Clarification Act”), the Court of Appeals for the DC Circuit dismissed the American Bar Association’s (ABA) lawsuit against the Federal Trade Commission (FTC) as moot. This dismissal is significant to healthcare providers as the reasoning behind the dismissal is directly analogous to the application of the Red Flags Rule to healthcare providers.

The ABA’s suit followed the issuance of the FTC of an Extended Enforcement Policy which explained that “professionals, such as lawyers or health care providers, who bill their clients after services are rendered,” would be considered “creditors” under the statute and, therefore, subject to the Rule’s requirements. The Court determined that the Clarification Act mooted the case because “the Clarification Act . . . clarifies that, to be a ‘creditor’ subject to the Red Flags Rule requirements, one must not only regularly extend, renew, or continue credit . . . , but must also ‘regularly and in the ordinary course of business,’ (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment.” The Court determined that the Clarification Act “made it clear that a creditor’s allowance of deferred payments alone could not trigger the identity theft protection requirements.”

The Court clarified that the ability to defer payment “is no longer enough to make a person or firm subject to the FTC’s Red Flags Rule – there must now be an explicit advancement of funds. In other words, the FTC’s assertion that the term ‘creditor,’ as used in the Red Flags Rule and the FACT Act, includes ‘all entities that regularly permit deferred payments for goods or services,…is no longer viable.” The Court’s decision echoes the legislative history of the Clarification Act, in which Senator Dodd commented that the design of the Clarification Act “makes clear that lawyers, doctors…and other service providers will no longer be classified as ‘creditors’ for the purposes of the Red Flags Rule…”

Although the case involved the application of the Red Flags Rule to lawyers, the Court’s analysis should be equally applicable to healthcare providers, which were previously subject to the Red Flags Rule because of deferred payment for medical services. The Court’s ruling makes it clear that healthcare providers will no longer be deemed creditors under the Red Flags Rule based on their payment method of providing services and billing for those services later.

However, the Court also noted that it would not prematurely comment on any new rules the FTC may promulgate. The FTC has the authority to engage in rulemaking to include entities within the coverage of the Red Flags Rule that maintain accounts subject to a reasonably foreseeable risk of identity theft.

If you have any questions regarding the Red Flags Rule and its application to healthcare entities please contact Elana Zana.