On October 22, 2008, the Federal Trade Commission (FTC) announced that it is delaying its enforcement of the Red Flag Rules until May 1, 2009. As discussed in detail in our October 2008 Health Law Client Memorandum entitled “Red Flag Rules Apply to Health Care Providers,” the Red Flag Rules apply to health care providers who extend credit to patients by providing services and accepting payment in installments, and require such providers to implement identity-theft prevention programs.

Until the FTC delayed enforcement, the Red Flag Rules were scheduled to become effective on November 1, 2008. In the course of its education and outreach efforts, the FTC learned that some industries under its jurisdiction had expressed confusion and uncertainty about whether they are required to comply with the Red Flag Rules. Many entities indicated to the FTC that, because they are generally not required to comply with FTC rules in other contexts, they had not been aware of the rulemaking and, therefore, learned of the Red Flag Rules requirements too late to comply by November 1, 2008.

The FTC’s action affords health care providers additional time to develop practical and compliant identity-theft prevention policies and procedures under the Red Flag Rules. Please note, however, that this delay in enforcement does not extend to the Address Discrepancy Rules applicable to those who use consumer reports (i.e., credit reports). These rules are still scheduled to become effective on November 1, 2008.