February 13, 2009 / Law Alert

Compliance Required: Identity Theft Red Flag Rules and Health Care Providers

As of May 1, 2009, the Federal Trade Commission will begin enforcing the Red Flag rules under the Fair and Accurate Credit Transactions Act of 2003. The Red Flag rules require that all businesses that "regularly extend credit" adopt identity theft prevention programs. Because many health care providers — particularly physician practice groups — accept payment over time, they fall under the Red Flag rules as regularly extending credit. Health care providers must act quickly to develop, adopt, and implement a written identity theft prevention program that is both usable in their business and that complies with the Red Flag rules. Although the complexity of each health care provider's program will vary depending upon its business practices, the FTC has identified 26 possible "red flags" to include.