Under the Red Flags Rules, “creditors” must develop a written program by November 1, 2008 that identifies and detects the relevant warning signs – or “red flags” – of identity theft.

Hospitals and other healthcare providers that accept deferred payments for medical services may be required to develop and implement written identity theft programs by November 1, 2008 in order to comply with the “Red Flags Rules” issued by the Federal Trade Commission (FTC). The Red Flags Rules are regulations issued as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 which apply to “financial institutions” and “creditors” which maintain “covered accounts.”

Healthcare providers are considered to be “creditors” if they regularly extend credit to patients by not demanding payment for medical goods or services at the time such goods or services are provided. These creditors are subject to compliance with the Red Flags Rules if they offer or maintain “covered accounts,” which the FTC defines as accounts used mostly for personal, family or household purposes that involve multiple payments or transactions.

Under the Red Flags Rules, “creditors” must develop a written program by November 1, 2008 that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The written program must address the following four requirements:

1) Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft;

2) Detect red flags;

3) Respond to those detected to prevent and mitigate; and

4) Ensure the program is updated periodically to reflect changes in risks.