United States: U.S. Court of Appeals Validates Red Flag Exemptions

On March 4, 2011, the U.S. Court of Appeals for the District of Columbia ruled that a case brought by the American Bar Association was rendered moot by The Red Flag Program Clarification Act of 2010.¹ This decision further validates that attorneys and physicians are exempted from the Red Flags Rule.

The Red Flags Rule, which became effective in January 2008, requires financial institutions and creditors to implement and maintain programs to protect consumers from identity theft. Due to public confusion, in April 2009 the FTC issued an Extended Enforcement Policy (Policy), explaining that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered "creditors" under the Red Flags Rule and thus subject to the Red Flags Rule's requirement of implementation of identity theft programs.²

The American Bar Association (ABA) filed suit in district court challenging the Policy, stating that the Policy was unlawful absent a "clear statement from Congress" authorizing federal regulation over the practice of law.³ The district court agreed with the ABA and enjoined the FTC from enforcing the Red Flags Rule against lawyers.⁴ The American Medical Association (AMA) joined with others and filed a similar suit seeking to exempt physicians from the Policy as well.

Oral arguments on the ABA case were heard on November 15, 2010 at the circuit court. However, shortly after oral arguments, Congress passed the Red Flag Program Clarification Act of 2010 (Clarification), which was signed into law by President Obama on December 18, 2010. The Clarification expressly revised the definition of "creditor" to make clear that in order to qualify as a creditor under the Red Flags Rule, "one must not only regularly extend, renew, or continue credit under § 1691(a)(e), but also must also 'regularly and in the ordinary course of business' (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment."⁵

Soon after the Clarification, Don Asmonga, government relations manager for the American Health Information Management Association, stated that the Clarification means that those hospitals that do not regularly request credit reports for credit transactions are exempt from the Red Flags Rule.⁶

In light of the Clarification, the circuit court ruled that the ABA case was moot.⁷ The court stated that the portions of the Clarification that were the subject of the ABA's complaint "have been effectively vitiated by the Clarification."⁸ Additionally, the court said that the provisions of the Policy relating to lawyers and health care providers are no longer viable.⁹

As a result of the determination by the circuit court, the AMA announced that it had officially dropped its lawsuit as well.

Although the circuit court noted that the FTC might promulgate new rules to attempt to regulate lawyers or physicians, for the time being, neither lawyers nor physicians must comply with the Red Flags Rule.

Footnotes

1. American Bar Association v. Federal Trade Commission, No. 10-5057 (D.C. 2011)

2. FTC Extended Enforcement Policy: Identity Theft Red Flags Rule, 16 CFR 681.1 at 1 n.3 (Apr. 30, 2009).

3. American Bar Association, No. 10-5057.

4. Id.

5. Id.

6. Howard Anderson, Court Validates Red Flags Exemptions, Healthcare Info Security (2011) (http://tinyurl.com/4krjen9).

7. American Bar Association, No. 10-5057

8. Id.

9. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.