On April 30, 2009 the Federal Trade Commission (FTC) made a last-minute decision to delay enforcement of the new identity theft detection and prevention rules (Red Flags Rules) by pushing back the compliance deadline from May 1 to August 1, 2009. The FTC has interpreted the Red Flags Rules as applying to the health care sector, where medical identity theft is a major concern. The FTC made a similar announcement last year when enforcement, originally to become effective November 1, 2008, was delayed until May 1 of this year after pushback from some industries including health care providers, who were uncertain whether they were subject to the rules. Health care providers now have an additional three months to develop and implement the written identity theft prevention programs required under the rules. By delaying enforcement, the FTC indicated that it wanted to give those covered by the requirements more time to develop and implement the required programs. The announcement was welcomed by the American Medical Association, which has objected to the FTC's interpretation that health care providers are covered by the rules.


On November 9, 2007 six federal agencies including the FTC published the Red Flags Rules. These rules, promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003, require financial institutions and creditors to develop and implement written identity theft prevention programs. The programs must be developed for identifying, detecting and responding to patterns, practices or specific activities – know as "red flags" – that could indicate identity theft.

Implications for Health Care Providers

A health care provider is covered by the Red Flags Rules if it is a "creditor" that offers or maintains "covered accounts." A creditor is any entity that regularly accepts deferred payment for goods and services. Health care providers that provide services to patients and regularly permit patients to pay for such services over time through a payment plan would likely be considered creditors. An account means a continuous relationship established by a person with a creditor to obtain a product or service. An ongoing relationship between a patient and a provider that is a creditor would be an account. A covered account is an account designed to permit multiple payments or transactions, as well as any other account for which there is a reasonably foreseeable risk of identity theft. Patient medical and billing records contain the patient's name, address and other personal identifying and financial information and are likely covered accounts.

The Red Flags Rules require a creditor that offers or maintains covered accounts to develop and implement a written identity theft prevention program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The rules provide considerable flexibility, allowing entities to establish programs that are appropriate given their size and complexity and the nature and scope of their activities.

The program must include reasonable policies and procedures to: (1) identify relevant so-called red flags – patterns, practices or specific activities that indicate the possible existence of identity theft; (2) detect red flags; and (3) respond appropriately to any red flags that are detected. The program must be approved initially by the entity's board of directors (or an appropriate committee of the board) and must be updated periodically. The board or committee must remain involved in the program's oversight and administration. The entity must also provide appropriate training for staff.

Many health care providers may already have some of the requisite policies in place due to overlap between the Red Flags Rules and HIPAA. For more information, see the appendix to the Red Flags Rules (Appendix A to Part 681 – Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation). Furthermore, a supplement to the guidelines (Supplement A to Appendix A) lists sample red flags.