Published 4/1/2009
Marty Krawczyk

“Red Flag” enforcement begins May 1

Will your practice be in compliance?

Last fall, the Federal Trade Commission (FTC) delayed enforcement of the “Identity Theft Red Flag Rule” (the Rule) from November 1, 2008, until May 1, 2009, to give industries and professionals—such as physicians and other healthcare providers—who were unaware of their responsibilities time to comply. That deadline is just days away, and compliance is mandatory.

The Red Flag Regulations and Guidelines (§114 of the Fair and Accurate Credit Transactions Act, as amended in 2007) provides financial institutions and creditors with a framework for identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft, defined as “a fraud committed or attempted using the identifying information of another without authority.”

Challenges denied
Both medical associations and legal professionals have challenged the FTC, insisting that the Rule does not and should not apply to physicians and related healthcare providers. The challenges have focused on the following three issues:

  • Physicians are not creditors as defined by law.
  • Because healthcare providers are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), they should not be required to comply with the Rule.
  • Compliance would pose a burden to medical practices.

In February the FTC responded, maintaining its position that physicians and other healthcare providers are covered by the Rule. The agency contends that intent of the Rule is to address all forms of identity theft, including those related to healthcare services. Under the FTC guidelines, physicians are creditors if they regularly bill patients for services.

The FTC also states that the Rule generally complements, rather than duplicates, HIPAA data security requirements and is designed to ensure that medical practices are alert to signs that a patient may be using fraudulent information to obtain medical services.

The FTC also noted that the Rule is flexible and tailored to the potential degree of identity theft faced by the individual physician. This risk-based criteria determines the simplicity or complexity of a medical practice’s individual written identity theft prevention program. For details on developing an identity theft prevention program for your practice, see “Identity theft: Could it happen in your office?”, or search “Red Flag” on the online practice management center (www.aaos.org/pracman).

Why comply with the Rule?
Compliance is mandatory and under the Fair Credit Reporting Act, the FTC can impose monetary penalties for noncompliance. Practices need to demonstrate a good faith effort to comply with the Rule as evidenced by the development of a written identity theft prevention program. The program can protect patients and the practice from the significant, harmful effects resulting from identity theft.

Marty Krawczyk is a practice management coordinator in the AAOS practice management group; she can be reached at krawczyk@aaos.org


  1. The full text of the Final Red Flag Rules, Section 114 of the Fair and Accurate Transactions Act (FACTA)
  2. Consumer Identification Programs for Financial Transactions
  3. Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The World Privacy Forum (September 24, 2008)