On October 22, 2008, the Federal Trade Commission ("FTC") announced that it will delay enforcement actions for violations of the Red Flag Rules for six months, until May 1, 2009.

Under the Red Flag Rules, which were promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003, "creditors" must develop and implement written identity theft prevention programs. In its announcement, the FTC noted that many entities expressed "confusion and uncertainty" about their coverage under the Red Flag Rules, and these entities learned of the requirements of the Red Flag Rules too late to achieve full compliance by the original deadline of November 1, 2008. 

As noted in a prior E-Mail Alert, Hospitals that accept deferred payments for medical services fall within the definition of "creditor" under the Red Flag Rules and must develop and implement written identity theft prevention programs. Hospitals must have these programs in place by the new compliance deadline of May 1, 2009.

More information about the FTC Red Flag Rules is available on our Red Flag Rules Resource Page. The Ohio Hospital Association and Bricker & Eckler have also developed a Red Flag Rules Hospital Compliance Guide, available for subscription, which offers assistance to hospitals with these rules.