After multiple delays, the Federal Trade Commission (FTC) will begin enforcement of the Red Flag Rules starting on June 1, 2010. The purpose of the Red Flag Rules is to prevent, identify, and report identity theft. In general, most healthcare organizations will be considered “creditors” that manage “covered accounts” under these rules and will be required to enact formal, written policies and procedures to comply with the new law. The Red Flag Rules define “creditor” broadly to include entities that regularly defer payment on goods or services or provide goods or services and bill for them later. Many healthcare providers will fall into the category of “creditor.”

If the Red Flag Rules apply to an organization as described above, the organization is required to implement written policies and procedures to identify and address the “red flags” that indicate identity theft. For healthcare organizations, the key is developing a list of red flags that may indicate that a person presenting for services is not who they say they are. In practice, organizations may already have procedures that cover much of what is required, but the new rules require formalized processes in written policies and procedures.

Applicable organizations should also ensure that staff members are trained in the new policies and reporting procedures. For most healthcare organizations, Red Flag Rule policies may be integrated into the organization's current compliance plan reporting structure.