Red Flag Rule: How the Red Flag Rule Affects Health Care Providers

Report home | Read the report (PDF) | Previous section | Next section


The Red Flag Rule applies broadly to financial institutions, credit grantors, and some others, including some health care providers. A health care provider comes under the Red Flag rule if the provider: 1) meets the definition of creditor under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A health care provider comes under the Address Discrepancy Rule if they: 1) use consumer credit reports.


Many of the Red Flag provisions apply mostly to banks, other financial institutions, and debit and credit card issuers. Some of the obligations affect creditors, a general term that includes some health care providers. A creditor is:

any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 15 U.S.C. §§ 1691a(e), 1681a(r)(5). 16 C.F.R. § 681.2(b)(4).

Banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies are examples of creditors. Accepting credit cards as a form of payment does not by itself make an entity a creditor. Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors.

Creditors that offer or maintain covered accounts have obligations under the Red Flag regulations. A covered account is:

(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and

(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. 16 C.F.R. § 681.2(b)(3).

Essentially, if a health care provider extends credit to a consumer by establishing an account that permits multiple payments, the provider is a creditor offering a covered account and is subject to the Red Flag rules. The supplementary information accompanying the final publication of the Red Flag rule explains the application of the rule in the health care world:

For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and, therefore, must identify Red Flags that reflect this risk. 72 Fed. Reg. 63727 (Nov. 9, 2007).

Appendix 1 of this document includes the full text of the supplementary information.

User of Credit Reports

Health care providers may also be subject to the Address Discrepancy rules that apply to users of consumer reports. (A consumer report is also known as a credit report). A Notice of Address Discrepancy is a notice sent to a user by a consumer reporting agency (also known as a credit bureau) that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address in the agency’s file for the consumer. 16 C.F.R. § 681.1(b).

The Notice of Address Discrepancy is required by the Fair Credit Reporting Act. Under 15 U.S.C. § 1681c(h), when a person requests a nationwide credit report about a consumer, the request includes the address that the consumer provided to the person. If that address differs substantially from the address in the credit bureau files, the bureau notifies the requester of the existence of the discrepancy.

The Notice of Address Discrepancy triggers obligations under the new rules. Any health care provider that orders a credit report on a consumer must comply with those obligations, which are discussed in more detail in section IV of this document.



Roadmap: Red Flag and Address Discrepancy Requirements – Suggestions for Health Care Providers: II. How the Red Flag Rule Affects Health Care Providers


Report home | Read the report (PDF) | Previous section | Next section