The Federal Trade Commission (FTC) has suspended enforcement of the new “Red Flags Rule”1 until May 1, 2009. This suspension gives creditors and financial institutions additional time to develop and implement written identity theft prevention programs. The October 22 FTC announcement and release of an Enforcement Policy Statement2 does not affect enforcement by other federal agencies of the original November 1, 2008, compliance deadline for institutions subject to their oversight.

The Red Flags Rule was adopted to require financial institutions and creditors to implement identity theft detection and prevention/mitigation programs. The FTC has taken the unofficial position that the rule applies to any entity, including a hospital or other health care provider, that regularly arranges for the extension, renewal or continuation of credit.

Covered health care providers should note that the new May 1, 2009, compliance date is a moratorium, not a change in regulatory interpretation of the Red Flags Rule. While the FTC announcement gives institutions more time to develop written identity theft programs, compliance with the Red Flags Rule is still expected by covered entities by the new enforcement date.