On May 28, 2010, at the request of several members of Congress, the Federal Trade Commission (FTC) again deferred enforcement of the Identity Theft Red Flags Rule, this time through December 31, 2010. Congress is considering legislation that would alter the types of entities covered by the Red Flags Rule, and the FTC believes that further postponement is warranted so that it does not begin to enforce a regulation that Congress may eventually supersede. If Congress passes the legislation with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that earlier date.

Impact on Health Care Providers

The Red Flags Rule, issued under the Fair and Accurate Credit Transactions Act of 2003, requires financial institutions and creditors to develop and implement written identity theft prevention programs. Because hospitals and other health care providers typically allow for deferred payment for services provided, most will meet the definition of a "creditor" and therefore must develop and implement a prevention program. The program must identify, detect and respond to patterns, practices or specific activities — known as "red flags" — that could indicate identity theft.

Physicians have objected to the application of the Red Flags Rule to their practices. On May 21, 2010 the American Medical Association, the American Osteopathic Association and the Medical Society for the District of Columbia filed suit in the US District Court for the District of Columbia seeking to bar application of the Red Flags Rule to physicians. This action is still pending.

Congressional Action

Late last year the House of Representatives unanimously approved H.R. 3763, a bill that would exempt from coverage under the Red Flags Rule any health care, accounting or legal practice with 20 or fewer employees, as well as certain other businesses. On May 25, 2010 a similar bill (S. 3416) was introduced in the Senate.

While congressional action seems likely, organizations should nonetheless prepare for enforcement of the Red Flags Rule. The proposed legislation would exempt only a portion of the health care industry; larger organizations would still need to implement an identity theft program. Also, failure to comply with the Red Flags Rule could result in penalties of $3,500 per violation.