The Red Flags Clarification Act of 2010 (RFCA) was signed into law December 2010 by President Obama. This law was intended to better define the term “creditor” as it is used in the Red Flags Rule. Although the name of this act implies that it “clarifies” who must comply with the Red Flags Rule, it appears to broaden the scope of the Red Flags Rule.
The Red Flags Clarification Act specifically identifies a “creditor” as a business that obtains or uses consumer reports in connection with a credit transaction, furnishes information to a consumer reporting agency, or to advances loans based on an obligation to repay. This would include debt collection agencies, insurance agents and agencies, apartment complexes and real estate management groups, and any group that issues any sort of loan (even a payday loan company).
The RFCA represents an addition to an addendum of an amendment of a law, which simply says that things are more complicated than officials initially believed when it comes to identity theft, and they have to keep clarifying their position. For the consumer, especially the victim of identity theft, all of these amendments and additions simply represent more headaches, because they describe loopholes as well as defining companies that are required to comply with the laws. One place this is glaringly obvious is in the medical industry.
According to the American Health Information Management Association (AHIMA), the Red Flags Clarification Act would exempt most medical providers from the Red Flags Rule, despite the fact that medical providers indirectly report to credit reporting agencies. This loophole falls in place because doctors and hospitals tend to outsource debt collection. So, even though a collection agent will call you from the hospital you went to about an outstanding medical bill, if the hospital has hired a third party vendor to make those calls, that hospital can technically say they’re not reporting to a consumer reporting agency, even though the third-party vendor they hired will do exactly what they are told by the hospital because they want to keep their contract.
However, the law firm of Page, Wolfberg & Wirth says otherwise. This Pennsylvania law firm specializes in working with EMS and ambulance services, medical transportation, and public safety organizations. They specifically state on their website that “…the language [of this law] chosen by Congress did not grant an outright exemption for ambulance services or any other healthcare providers.” (emphasis per site.) They even go further, saying that “If reports to credit bureaus aren’t done by the ambulance service (or on its behalf by a collections agency) ‘regularly and in the ordinary course of business,’ the ambulance service is likely still covered by the Red Flags Rules.” In fact, the only ambulance services that are definitely not covered are ones that do not bill, or do not engage in collection activities that involve the use of consumer reports or reporting to credit bureaus.
More than likely, this will be the interpretation of the law applied to the medical industry, especially in light of the fact that medical identity theft is on a dramatic rise, and can have such dire consequences to the victim. The Red Flags Clarification Act also permits the Federal Trade Commission to add future rules to cover anyone who maintains accounts that have a reasonably foreseeable risk of identity theft, which would obviously include the entire healthcare industry. And since the FTC has expressed concern in the past about medical identity theft, it is likely that such rules will be added if the courts present another interpretation.
Whether the Red Flags Rules specifically apply to the healthcare industry or not, it would seem to be common sense that our medical practitioners had policies in place that addressed these issues regardless of legislation. Perhaps the biggest concern when it comes to medical identity theft is that the healthcare industry has lobbied heavily to be exempted from these rules.