The Red Flags Rule

Download PDF

Avoiding Liability Bulletin – June 2008

**Click here for an updated blog related to this matter**

Some of you may not be aware of this federal Rule, while others may have received information about the Rule from any number of sources. This article will discuss my view of the Rule and is in no way intended to offer advice to any particular practitioner or to interfere or argue with the positions taken, or the advice given, by any number of associations or organizations representing their respective members.


Congress, by passage of the Fair and Accurate Transactions Act several years ago, required the U.S. Federal Trade Commission (referred to hereafter as the FTC) and other federal agencies to jointly issue rules regarding identity theft in an effort to limit its occurrence and harm. Identity theft has become a significant problem throughout the country that has caused millions of consumers to suffer not only economic harm, but emotional harm as well – sometimes quite severe. These agencies have enacted, among other things, the Red Flags Rule, which requires certain businesses and organizations to develop and implement a written identity theft prevention program designed to detect the warning signs – or “red flags” – of identity theft in their business operations. Additionally, the written program must be designed in a manner that allows these businesses and organizations to take steps to prevent the crime of identity theft and to mitigate the damage it inflicts.

The FTC is a governmental entity that, among other things, polices anti-competitive and unfair business practices. The FTC administers a wide variety of other consumer protection laws, including the Telemarketing Sales Rule, the Pay-Per-Call Rule, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Cigarette Labeling Act and the Truth-In-Lending Act. Beginning on August 1, 2009, the FTC will be enforcing (through the ability to impose a monetary fine) the Red Flags Rule (hereafter referred to as “the Rule”).

Which Businesses Are Affected?

Broadly speaking, the Rule affects those businesses that are either “financial institutions” or “creditors.” These terms, even though defined in the Rule, do not have precise (black and white) meanings and are subject to interpretation, both by the FTC and by the various businesses (including those health care practitioners who own their own practices, whether as sole practitioners, partnerships, or professional corporations) that may or may not be affected by the Rule. The Rule itself defines these terms by making reference to their meaning under the Equal Credit Opportunity Act. In this article, I do not address nonprofit organizations, which may be considered by the FTC to be a “creditor” under the Rule, depending upon the manner in which the organization operates (e.g., is paid for services rendered).

Who Is A “Creditor” Under the Rule?

The definition and meaning of this term is critical to a determination of whether the Rule applies to a particular business, such as a counseling ortherapy practice owned by a sole proprietor, partnership, or professional corporation. The Rule defines this term, in part, as a business that regularly extends, renews, or continues credit. Stated otherwise, the business regularly defers payments of debts or accepts deferred payments for purchases of services. The FTC seems to take the position that if payment is made after services are rendered, credit has been extended. They make similar broad statements in an apparent effort to include most businesses and professions. On the other hand, they seem to understand that if the relationship between the business and the client involves incremental, “substantially contemporaneous” payment as the work progresses, this would not be considered a credit transaction. In my view, many, if not most, counselor-client and therapist-patient relationships are structured in this manner.

The word “regularly,” is not defined in the Rule. Thus, determinations of whether a businessregularly extends credit (or engages in the other conduct specified in the Rule) will necessarily depend upon the facts and circumstances particular to each business. The FTC has indicated that if the extension of credit is an isolated or incidental occurrence, then credit is not regularly extended.

The FTC’s broad interpretation of the Rule (and of “creditor” in particular) is problematic. For example, they state that health care providers are creditors if they bill consumers after their services are completed. The FTC does not adequately explain this statement, so some may be led to believe that any time a client receives a bill for services rendered, credit has been extended. I believe the FTC was concerned about the physician who may perform heart surgery (services are completed) and bill the patient later, allowing the patient to pay over a period of time and in installments. Suppose a therapist performs one hour of therapy and asks the patient to pay after the session. The patient asks for a bill, and one is prepared forthwith. If the patient pays shortly or immediately thereafter, surely the intent of Congress could not have been to make that a credit transaction! Was payment made after services were rendered or completed, and is there a difference between these terms?

The FTC also takes the position that health care providers who accept insurance are creditors if the consumer is ultimately responsible for the medical fees. They indicate that when the physician submits a bill to the insurer first and then bills any unpaid amounts to the patient, whether required to do so as a matter of contractual or state law, or as a courtesy, payment is deferred – that is, the physician is billing the patient after having provided the medical services. If this were done on a regular basis, the FTC would presumably require compliance with the Rule. There are arguments (not presented here) to counter the viewpoint that the presence of insurance, where the patient or client may be responsible for his or her share, creates a debtor-creditor relationship.

Must I Comply?

This article only scratches the surface of this issue. Much more is involved, and each individual must make his or her own determination of whether compliance is mandatory. As stated above, enforcement is scheduled to begin on August 1, 2009. Because of the concerns expressed by a number of organizations representing health care professions, attorneys, and others, the FTC has indicated that for entities that have a low risk of identity theft, such asbusinesses that know their customers personally, the FTC will soon release atemplate to help them comply with the Rule. It is my belief, however, that many mental health care practitioners may not be subject to the Rule because they do not regularly extend credit. Additionally, it is my view that Congress did not intend that the rule to be developed would affect all professions and businesses that simply billed for services rendered and received payment anytime thereafter. There are federal court decisions that are supportive of this view.

The Rule applies to businesses, thus employed licensees and pre-licensed people, who are typically not owners of a therapy or counseling practice, would not be required to comply. Those who are owners of a therapy or counseling practice (a business entity), however, must determine whether or not they are subject to the Rule. As mentioned above, this is so whether one does business as a sole proprietor, partnership, or professional corporation. It would also apply to a limited liability company, if that form of doing business were lawful for the licensee/owner (the LLC is not a permissible form of doing business for certain health practitioners in many states).

There are several things that practitioners can do to help them make the determination of whether or not they must comply. Practitioners should check with their professional associations to see what the associations have to say about this issue, and to find out whether the opposition by many groups to the FTC’s overly broad (my view) interpretation is resulting in any changes or modifications. In addition, the associations may develop sample or suggested written programs in order to assist practitioners, who believe they are subject to the Rule, with compliance. While certain elements must be in the written program, there is flexibility in terms of the content and length, depending upon the business entity involved. As stated above, the FTC will soon be releasing a template to help some businesses (those that know their customers personally) comply.

The following useful resources will provide you with more information about the Red Flags Rule. Click on the links below.


Article published by the FTC: The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft


Booklet published by the FTC: Fighting Fraud with the Red Flags Rule – A How-To Guide for Business


Article authored by the FTC: The “Red Flags Rule: Are You Complying with New Requirements for Fighting Identity Theft?


Report published by the World Privacy Forum: Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers



Mental Health AL Blog - Get a Quote & Apply


Richard Leslie

"At the Intersection of Law and Psychotherapy" Richard S. Leslie is an attorney who has practiced at the intersection of law and psychotherapy for the past twenty-five years. Most recently, he was a consultant to the American Association for Marriage and Family Therapy (AAMFT), where he worked with their various state divisions to develop and implement their legislative agendas. He also provided telephone consultation services to AAMFT members regarding legal and ethical issues confronting practitioners of diverse licensure nationwide. Additionally, he wrote articles regarding legal and ethical issues for their Family Therapy Magazine and presented at workshops on a variety of legal issues. Prior to his work with AAMFT, Richard was Legal Counsel to the California Association of Marriage and Family Therapists (CAMFT) for approximately twenty-two years. He was director of Government Relations for CAMFT, and as such was the architect of CAMFT’s widely regarded and successful legislative agenda. He represented CAMFT before the regulatory board (the Board of Behavioral Sciences) and was a tireless advocate for due process and fairness for licensees and applicants. He was a regular presenter at workshops and was consistently evaluated as CAMFT’s most highly rated presenter. He also sat with the CAMFT Ethics Committee and acted as their advisor on matters pertaining to the enforcement of ethical standards. Richard is an acknowledged expert on matters pertaining to the interrelationship between law and the practice of marriage and family therapy and psychotherapy. For many years, he taught Law and Ethics courses for a number of colleges and universities in their marriage and family therapy degree programs. While at CAMFT, he provided telephone consultation services with thousands of therapists in California and elsewhere for over twenty years. He is highly regarded for his judgment, his expertise, his direct style, and his clarity. Richard has been the driving force for many of the changes and additions to the laws of the State of California that affect MFTs. In 1980, he was primarily responsible for achieving passage of the "Freedom of Choice Law" that required insurance companies to pay for psychotherapy services performed by MFTs. Passage of that law allowed MFTs to earn a living, allowed them to better compete in the marketplace, and strengthened the profession in California by leading to a great increase in the number of licensees and CAMFT membership. Currently, about half of the licensed marriage and family therapists in the country are licensed in California. While at CAMFT, Richard was primarily responsible for, among other things, the successful effort to criminalize sex between a patient and a therapist. He was successful in extending the laws of psychotherapist-patient privilege to MFTs, thereby giving patients the same level of privacy protection as when seeing a psychiatrist or psychologist. He fought tirelessly and successfully for the right of MFTs to refer to themselves as "psychotherapists," to perform psychological testing services, to be appropriately reimbursed by California’s Victims of Crime Program, and to be employed in county mental health agencies throughout California. Richard was admitted to the Bar in New York (1969) and in California (1973). While practicing in New York, he served as a public defender, and later, as an Assistant District Attorney. Shortly after moving to California, he worked for the San Diego County Human Relations Commission as their Law and Justice Officer. While there, he worked successfully to achieve greater racial diversity in the criminal jury selection system and to expose and stop police abuse. For such work with that agency, he was the recipient of the Civil Libertarian of the Year Award by the San Diego Chapter of the American Civil Liberties Union.

Have Questions? click here, We’re happy to help!