On April 30, 2009, the Federal Trade Commission ("FTC") announced that it will again delay enforcement of the second section of the Red Flags Rule (16 C.F.R. § 681.2) which will require many health care providers to implement programs that identify and respond to indicators of potential identity theft ("Red Flags"). The enforcement deadline of May 1, 2009 has been extended to August 1, 2009. The FTC delayed enforcement of the Red Flags Rule to give creditors and financial institutions three more months to develop and implement written identity theft prevention programs.

In its April 30th press release, the FTC stated that "[f]or entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight."[1] Therefore, the November 1, 2008 compliance deadline for the first and third sections of the Red Flags Rule remain intact. The first section (16 C.F.R. § 681.1) imposes certain duties on "users of consumer reports" who receive notice of address discrepancies, and the third section (16 C.F.R. § 681.3) imposes duties on "card issuers" with regard to changes of address and requests for replacement cards.

The FTC implemented the Red Flags Rule in order to detect, prevent and mitigate against the theft of consumers' identities by imposing certain duties on financial institutions and creditors. The Red Flags Rule contains broad definitions of "creditors" and "covered accounts" that make it applicable to a wide array of businesses, including health care providers. A health care provider may be deemed a "creditor" if it "regularly" accepts alternatives to payment in full on the date of service. If a provider qualifies as a creditor, it must next ascertain whether it maintains any "covered accounts," i.e., any account designed to permit multiple payments, as well as any other accounts that involve a reasonably foreseeable risk of identity theft. If a provider is a "creditor" with "covered accounts," it will be required to develop and implement a written "Identity Theft Prevention Program." In developing an Identity Theft Prevention Program, the provider should determine which red flags are relevant to its operations. Red flags include warning signs of identity theft such as a personal identification that looks altered or forged, alerts from credit agencies, or suspicious documents. Once relevant red flags are identified, the Identity Theft Prevention Program must include procedures for detecting those red flags, preventing and mitigating identity theft, and updating the Identity Theft Prevention Program periodically to stay current with emerging risks.

For additional guidance, providers should consult legal counsel or refer to the FTC’s guide for businesses, "Fighting Fraud With the Red Flags Rule: A How-To Guide for Business." To view this document in PDF format, click here.