The Federal Trade Commission (FTC), in response to confusion within the healthcare industry and other industries regarding the applicability of the Red Flag rule identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft, has delayed enforcement until May 1, 2009. Entities subject to the Red Flag regulation include any entity (1) that regularly extends, renews, or continues credit; (2) that regularly arranges for the extension, renewal, or continuation of credit; (3) that is an assignee of an original creditor who is involved in the decision to extend, renew, or continue credit; and (4) regularly grants a consumer the right to defer payment for any purchase (e.g., an entity that provides a product or service for which the consumer pays after delivery is a creditor). Simply accepting credit cards as a form of payment, however, does not by itself make an entity a creditor.

However, the delay in enforcement is limited to the identity theft portion of the Red Flag rule. The enforcement delay does not extend to the portion of the rule requiring users of consumer reports (such as providers) to develop and implement reasonable policies and procedures designed to assure that a consumer report actually relates to the consumer about whom the provider has requested the report, (i.e., when the provider receives a notice from a credit bureau of a substantial difference between the consumer's address provided by the provider and the address contained in the credit bureau's records.)

While the delay provides some breathing room, providers should continue to develop procedures to address identity theft issues. Medical identity theft is proliferating at an alarming rate and is proving to be extremely difficult to contain, according to the FTC. The HHS' Inspector General's office has also criticized CMS for failing to enforce the Health Insurance Portability and Accountability Act's security rule protecting patient information. The OIG stated that its audits of hospital data security systems show "numerous, significant vulnerabilities" that put patient data "at high risk."