Some of you may not be aware of this federal Rule, while others may have received information about the Rule from any number of sources. This article will discuss my view of the Rule, and is in no way intended to offer advice to any particular practitioner or to interfere or argue with the positions taken, or the advice given, by any number of associations or organizations representing their respective members.
Congress, by passage of the Fair and Accurate Transactions Act several years ago, required the U.S. Federal Trade Commission (referred to hereafter as the FTC) and other federal agencies to jointly issue rules regarding identity theft in an effort to limit its occurrence and harm. Identity theft has become a significant problem throughout the country that has caused millions of consumers to suffer not only economic harm, but emotional harm as well – sometimes quite severe. These agencies have enacted, among other things, the Red Flags Rule, which requires certain businesses and organizations to develop and implement a written identity theft prevention program designed to detect the warning signs – or “red flags” – of identity theft in their business operations. Additionally, the written program must be designed in a manner that allows these businesses and organizations to take steps to prevent the crime of identity theft and to mitigate the damage it inflicts.
The FTC is a governmental entity that, among other things, polices anti-competitive and unfair business practices. The FTC administers a wide variety of other consumer protection laws, including the Telemarketing Sales Rule, the Pay-Per-Call Rule, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Cigarette Labeling Act and the Truth-In-Lending Act. Beginning on August 1, 2009, the FTC will be enforcing (through the ability to impose a monetary fine) the Red Flags Rule (hereafter referred to as “the Rule”).
Which Businesses Are Affected?
Broadly speaking, the Rule affects those businesses that are either “financial institutions” or “creditors.” These terms, even though defined in the Rule, do not have precise (black and white) meanings and are subject to interpretation, both by the FTC and by the various businesses (including those health care practitioners who own their own practices, whether as sole practitioners, partnerships, or professional corporations) that may or may not be affected by the Rule. The Rule itself defines these terms by making reference to theirmeaning under the Equal Credit Opportunity Act. In this article, I do not address nonprofit organizations, which may be considered by the FTC to be a “creditor” under the Rule, depending upon the manner in which the organization operates (e.g., is paid for services rendered).
Who Is A “Creditor” Under the Rule?
The definition and meaning of this term is critical to a determination of whether the Rule applies to a particular business, such as a counseling ortherapy practice owned by a sole proprietor, partnership, or professional corporation. The Rule defines this term, in part, as a business that regularly extends, renews, or continues credit. Stated otherwise, the business regularly defers payments of debts or accepts deferred payments for purchases of services. The FTC seems to take the position that if payment is made after services are rendered, credit has been extended. They make similar broad statements in an apparent effort to include most businesses and professions. On the other hand, they seem to understand that if the relationship between the business and the client involves incremental, “substantially contemporaneous” payment as the work progresses, this would not be considered a credit transaction. In my view, many, if not most, counselor-client and therapist-patient relationships are structured in this manner.
The word “regularly,” is not defined in the Rule. Thus, determinations of whether a businessregularly extends credit (or engages in the other conduct specified in the Rule) will necessarily depend upon the facts and circumstances particular to each business. The FTC has indicated that if the extension of credit is an isolated or incidental occurrence, then credit is not regularly extended.
The FTC’s broad interpretation of the Rule (and of “creditor” in particular) is problematic. For example, they state that health care providers are creditors if they bill consumers after their services are completed. The FTC does not adequately explain this statement, so some may be led to believe that any time a client receives a bill for servicesrendered, credit has been extended. I believe the FTC was concerned about the physician who may perform heart surgery (services are completed) and bill the patient later, allowing the patient to pay over a period of time and in installments. Suppose a therapist performs one hour of therapy and asks the patient to pay after the session. The patient asks for a bill, and one is prepared forthwith. If the patient pays shortly or immediately thereafter, surely the intent of Congress could not have been to make that a credit transaction! Was payment made after services wererendered or completed, and is there a difference between these terms?
The FTC also takes the position that health care providers who accept insurance are creditors if the consumer is ultimately responsible for the medical fees. They indicate that when the physician submits a bill to the insurer first and then bills any unpaid amounts to the patient, whether required to do so as a matter of contractual or state law, or as a courtesy, payment is deferred – that is, the physician is billing the patient after having provided the medical services. If this were done on a regular basis, the FTC would presumably require compliance with the Rule. There are arguments (not presented here) to counter the viewpoint that the presence of insurance, where the patient or client may be responsible for his or her share, creates a debtor-creditor relationship.
Must I Comply?
This article only scratches the surface of this issue. Much more is involved, and each individual must make his or her own determination of whether compliance is mandatory. As stated above, enforcement is scheduled to begin on August 1, 2009. Because of the concerns expressed by a number of organizations representing health care professions, attorneys, and others, the FTC has indicated that for entities that have a low risk of identity theft, such asbusinesses that know their customers personally, the FTC will soon release atemplate to help them comply with the Rule. It is my belief, however, that many mental health care practitioners may not be subject to the Rule because they do not regularly extend credit. Additionally, it is my view that Congress did not intend that the rule to be developed would affect all professions and businesses that simply billed for services rendered and received payment anytime thereafter. There are federal court decisions that are supportive of this view.
The Rule applies to businesses, thus employed licensees and pre-licensed people, who are typically not owners of a therapy or counseling practice, would not be required to comply. Those who are owners of a therapy or counseling practice (a business entity), however, must determine whether or not they are subject to the Rule. As mentioned above, this is so whether one does business as a sole proprietor, partnership, or professional corporation. It would also apply to a limited liability company, if that form of doing business were lawful for the licensee/owner (the LLC is not a permissible form of doing business for certain health practitioners in many states).
There are several things that practitioners can do to help them make the determination of whether or not they must comply. Practitioners should check with their professional associations to see what the associations have to say about this issue, and to find out whether the opposition by many groups to the FTC’s overly broad (my view) interpretation is resulting in any changes or modifications. In addition, the associations may develop sample or suggested written programs in order to assist practitioners, who believe they are subject to the Rule, with compliance. While certain elements must be in the written program, there is flexibility in terms of the content and length, depending upon the business entity involved. As stated above, the FTC will soon be releasing a template to help some businesses (those that know their customers personally) comply.
The following useful resources will provide you with more information about the Red Flags Rule. Click on the links below.
Article published by the FTC: The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft
Booklet published by the FTC: Fighting Fraud with the Red Flags Rule – A How-To Guide for Business
Article authored by the FTC: The “Red Flags Rule: Are You Complying with New Requirements for Fighting Identity Theft?
Report published by the World Privacy Forum: Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers