The House and Senate have approved legislation intended to clarify that health care providers and other non-financial businesses are not subject to the Federal Trade Commission’s (FTC) “Red Flag” identity theft rule simply because they extend credit to patients who do not pay for all services at the time services are received. Specifically, S. 3987 would amend the Fair Credit Reporting Act (FCRA) to define the term creditor and exempt from the creditor identity theft protection requirements any person who “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The legislation is now awaiting the President’s signature.