Published 6/1/2009

Temporary reprieve on “Red Flag Rules” enforcement

FTC delays enforcement until Aug. 1, 2009

The U.S. Federal Trade Commission (FTC) has extended the compliance deadline for the Identity Theft Red Flag Rules from May 1, 2009, until Aug. 1, 2009, to give business entities more time to develop and implement written identity theft prevention programs.

The rule requires creditors and financial institutions to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The FTC maintains that business entities that provide services and bill later—including physicians and other professionals—are creditors, and as such must comply with the rule.

The rule is risk-based, which means that the nature and complexity of any identity theft prevention program should be tailored to the business and potential risk factors. Practices that have policies and procedures to comply with the Health Information Portability and Accountability Act (HIPAA) can include these in the program. Other identity theft prevention strategies that are already in place in the practice can also be incorporated.

In addition to educational materials currently available on the FTC Web site, the agency has also developed a compliance template (PDF) to help businesses with a low risk of identity theft to adopt the program. The World Privacy Forum has also developed information to help healthcare providers understand and develop an identity theft prevention program.

The online AAOS Practice Management Center also includes information on the guidelines and what they mean for medical practices.