Identity Theft Red Flags Rule

The Federal Trade Commission (FTC) announced a delay in the enforcement of the Red Flags rule, giving physicians and other creditors until August 01, 2009, to develop and implement written identity theft programs. This is the second delay in enforcement of the rule due to the wide-ranging impact of the law as written by Congress and resulting confusion regarding who must comply.

The FTC has also published an online template for determining if your practice is at low risk for identity theft and if so, to assist you in developing a program in compliance with the rule. This six-page template allows for creation of a program by filling in the blanks provided for each aspect of your program and then printing the final document for your records.

Most physician practices need to be in compliance with requirements of the final rule entitled, "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003" by the new August 1st deadline. These final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act were originally posted with a compliance date of November 01, 2008. Due to questions regarding whether physicians met the definition of creditors, this was extended pending a now complete review (9-page PDF file; About PDFs) by the Federal Trade Commission, which determined that many physicians are creditors and subject to the rule.

The following resources are intended to assist members in understanding the purpose of the rule, what is required in the physician practice setting, and to provide some ideas that may make compliance program development, implementation, and training less complex and more integrated with other programs, such as HIPAA privacy and security programs.