FTC Clarifies Red Flags Rule Applicability and Requirements
June 14—To help businesses comply with the requirements of the Red Flags Rule, which requires organizations to watch for and respond to warning signs of identity theft, the Federal Trade Commission (FTC) has issued revised guidance outlining which businesses are covered by the rule and what is required for compliance.
According to the guidance document, the rule applies to financial institutions and some creditors. More specifically, the rule applies to creditors that regularly engage in certain activities, such as using information from or sharing information with consumer reporting agencies regarding credit transitions, provided that these activities occur “regularly and in the ordinary course of business.” According to the report, isolated conduct does not trigger application of the rule.
The report further states that what is deemed “regularly and in the ordinary course of business” is specific to individual companies. In other words, a healthcare organization that engages in these activities regularly must comply even if that is not a typical practice for the healthcare industry.
Hospitals and other healthcare organizations that fall within the purview of the rule are required to develop and implement a written identity theft prevention program to detect red flags, proactively prevent them where possible, and mitigate the damage they cause, according to the guidance document.
Publication Date: Friday, June 14, 2013