Health Care Providers Are Exempt From the Red Flags Rule
Healthcare Alert | 2 min read
Jan 4, 2011
Under the Red Flag Program Clarification Act of 2010 (RFPCA), health care providers and other businesses that accept deferred payment for goods and services are exempt from being classified as “creditors” for purposes of the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act of 2003. Such entities and individuals therefore do not have to comply with the Federal Trade Commission’s (FTC’s) Red Flags Rule, which requires creditors to develop and implement written identity theft prevention programs. The RFPCA became effective on December 18, 2010.
A “creditor” under the RFPCA is any person or entity which regularly and in the ordinary course of business: (1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds, or repayable from specific property pledged by or on behalf of the person.
The application of the Red Flags Rule to certain professionals, including health care providers, accountants and attorneys, was controversial and led to the enactment of the RFPCA, which exempts from the definition of “creditor” any person or entity which “advances funds” under clause (3) above, but that does so “on behalf of a person for expenses incidental to a service provided by the creditor to that person.” Thus, a health care provider which provides medical services, but does not require payment in full at the time the service is rendered, is not a “creditor” for purposes of the Red Flags Rule, and therefore does not need to develop and implement written identity theft prevention programs designed to detect activities known as “red flags” that are signs of identity theft.
The FTC began enforcement of the Red Flags Rule against creditors on December 31, 2010. The enforcement deadline was delayed five times, with an original commencement date of November 1, 2008.
For more information, please contact your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.
Related Capabilities
Featured Insights
Webinar
Apr 29, 2026
When a Cyber Breach Hits: Cybersecurity, Privacy, and Compliance
In The News
Apr 24, 2026
Michael Dowell Reviews New PBM Reform Reshaping Pharmacy Reimbursement
Lawyers for the Profession® Alert
Apr 21, 2026
When Does a Client’s Duty to Investigate Begin? Lessons from a Time-Barred Malpractice Case
Press Release
Apr 20, 2026
Tom Kuzmanovic Selected for BizTimes Milwaukee 2026 Notable Leaders in Law
Press Release
Apr 17, 2026
André Sesler Elected to the Board of Trustees of the University of Florida Law Center Association
Hinshaw Alert
Apr 17, 2026
Q&A: How to Submit Your IEEPA Refund Claim as CAPE Portal Launches April 20, 2026
In The News
Apr 14, 2026
Bloomberg Law Recaps Panels Presented at Hinshaw's 25th Anniversary LMRM Conference
In The News
Apr 14, 2026
Michael Dowell Discusses the Uncertain Impact of Growing Medicare Advantage Scrutiny
Privacy, Cyber & AI Decoded Alert
Apr 9, 2026
6 Key Takeaways From the IAPP 2026 Global Summit for Privacy Compliance Professionals
