Physicians And Other Service Providers Exempted From Identity Theft Program Requirements

January 2011

Effective January 1, 2011, the long delayed provisions of regulations promulgated by the Federal Trade Commission (called the Red Flags Rule) that implemented 2003 federal legislation now require that banks, financial institutions, credit reporting agencies and other similar businesses develop and maintain programs to identify, detect and respond to indications of identity theft. On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act of 2010 (the “Clarification Act”) that for the most part exempted health care service providers (such as physicians, dentists and pharmacists) and attorneys, accountants and other service professionals from the Red Flags Rule.

Under the Clarification Act, persons who provide services or who advance funds for expenses incidental to those services are now exempt from the Red Flags Rule on the theory that accounts maintained by service providers (including health care service providers) do not pose a reasonable risk of identity theft. However, the service provider exception in the Clarification Act does not apply to organizations that use consumer reports in connection with credit transactions, provide information to consumer reporting agencies or that loan money. The Red Flags Rule requires that these businesses establish and maintain identity theft prevention programs.

Notwithstanding the general exemption of service providers from the identity theft program prevention requirements, if, for example, a physician were to obtain a credit report about an underinsured patient in conjunction with negotiations that will enable the patient to remit the balance of payments not covered by insurance on an installment basis, the physician provider would lose its exemption from compliance with the Red Flags Rule and must adopt and maintain an identity theft program that applies to all of its patients. If a provider of health care services allows for its patients to pay for services that are not covered by insurance (such as cosmetic surgery) or for which insurance typically covers less than the cost of the entire course of treatment (such as with orthodontic services) over a period of time under a plan or arrangement, it is possible that this pervasive extension of credit to patients that obtain services of this type may not be covered by the exemption and thus the provider must comply with the loss prevention program requirements. Although neither the Clarification Act nor the Committee reports that accompanied same provided explicitly one way or the other, it is likely that that the Red Flags Rule will apply to hospitals and nursing homes since both types of health care providers regularly use information from consumer credit reporting agencies and/or provide credit information to such reporting agencies.

It is likely that the Federal Trade Commission will issue interpretive guidance in the future as to the scope of the exemption that was created by the Clarification Act.

For further information about the provisions of the Clarification Act or the applicability of the so-called Red Flags Rule to health care and other service providers, please contact any member of the Dickinson Wright Healthcare Practice Group.

Ralph Z. Levy, Jr. is Of Counsel in Dickinson Wright’s
Nashville office and can be reached at 615.620.1733 or

  • |