Pursuant to regulations (the Red Flags Rules) issued by the Federal Trade Commission (FTC), "financial institutions" and "creditors" are required to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Hospitals that accept deferred payments for medical services will fall within the definition of "creditor" under the FTC's new Red Flags Rule and must develop and implement written identity theft prevention programs by November 1, 2008 to comply with these new regulations.

The purpose of the written identity theft prevention program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities.

Who must comply with the Red Flags Rules?

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.” Under the rules, a creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Thus, hospitals that accept deferred payments for medical services – whether they are for-profit, non-profit, or governmental entities – will likely fall within the definition of "creditor," requiring compliance with these rules.

Complying with the Red Flags Rules

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The written program must include reasonable policies and procedures to:

  1. Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program;
  2. Detect Red Flags that have been incorporated into its program;
  3. Respond appropriately to any Red Flags that are detected;
  4. Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.

Full text of the Federal Register rules