On July 29, 2009, the Federal Trade Commission (FTC) issued a statement delaying enforcement of the new “Red Flags Rule”1 until November 1, 2009.2 Recently, the FTC determined that small businesses and other entities with a low risk of identity theft were unclear of their obligations under the Rule. Therefore, the FTC decided to provide additional resources and guidance to these entities in order to assist them with questions about their obligations under the Rule. This delay in the enforcement date also gives creditors and financial institutions additional time to develop and implement written identity theft prevention programs and to utilize the new resources and guidance to be issued by the FTC.

Under the Red Flags Rule, financial institutions and creditors are required to implement identity theft detection and prevention/mitigation programs. The FTC has taken the unofficial position that the Rule applies to any entity that regularly arranges for the extension, renewal or continuation of credit, including hospitals or other health care providers.

Health care providers covered under the Rule should note that the November 1, 2009, compliance date is a moratorium, not a change in regulatory interpretation of the Red Flags Rule. While this FTC announcement gives institutions more time to review the guidance and develop written identity theft programs, covered health care providers are still expected to comply with the Rule by the new enforcement date.