As of November 1, 2008, certain Healthcare Institutions will have to comply with regulations established to protect the public against identity theft. These regulations, known as the “Red Flag” rules, were issued jointly by several federal agencies and are directed at banks, mortgage lenders and other traditional creditors; however, they define creditor so broadly that some Healthcare Institutions will need to comply with them. The regulations require affected companies to develop and implement written identity theft prevention programs to identify, detect, and mitigate against identity theft when certain “red flags” are present. The Fair and Accurate Credit Transactions Act defines a red flag as a pattern, practice, or specific activity that indicates the possible existence of identity theft. The regulations cover Financial Institutions, Creditors and users of Consumer Reports and require that they develop written policies and procedures to comply with the FCRA’s Identity Theft Provisions. Depending upon whether you are a Financial Institution, Creditor or Consumer Report user, your responsibilities will differ, although all affected companies must adopt and implement broad identity theft prevention systems. The regulations also require that a health care organization’s board of directors (or other governing body) become involved with the identity theft prevention programs. Failure to comply could result in sanctions.