Pursuant to regulations issued by the Federal Trade Commission (“FTC”), "financial institutions" and "creditors" are required to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 (the “Red Flag Rules”). Hospitals that accept deferred payments for medical services will fall within the definition of "creditor" under the FTC's Red Flag Rules and must develop and implement written identity theft prevention programs to comply with these regulations.

On October 22, 2008, the FTC announced that it would delay enforcement actions for violations of the Red Flag Rules for six months, until May 1, 2009. As a reminder of that upcoming effective date, hospitals subject to the Red Flag Rules now have less than two months to develop and implement their identity theft prevention programs.

More information about the FTC Red Flag Rules is available on our Red Flag Rules Resource Page. The Ohio Hospital Association and Bricker & Eckler have also developed a Red Flag Rules Hospital Compliance Guide, available for subscription, which offers assistance to hospitals with these rules.