The Federal Trade Commission (FTC) has issued a reminder of the upcoming Nov. 1, 2008, compliance deadline for implementing identity theft prevention programs pursuant to the identity theft red flag rules (Red Flag Rules). In brief, the Red Flag Rules require financial institutions and creditors holding consumer or other "covered accounts" to develop and implement an identity theft prevention program, and to develop reasonable policies and procedures to prevent and mitigate identity theft. A "covered account" is defined as an "account…primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the…creditor from identity theft." Patient accounts maintained by hospitals a nd other providers appear to satisfy this definition. The Red Flag Rules give entities some flexibility in implementing identity theft programs, depending on their size and the complexity of their operations. Because many of the requirements of the Red Flag Rules overlap with requirements of the Health Insurance Portability and Accountability Act (HIPAA), health care providers are likely to already have implemented many of the required measures in their HIPAA compliance efforts. We recommend that providers review their privacy and security programs to determine whether they adequately address the requirements of the Red Flag Rules. Find more information here.