Identity Theft Red Flags Rule

The Federal Trade Commission (FTC) announced a delay in the enforcement of the Red Flags rule, giving physicians and other creditors until June 01, 2010, to develop and implement written identity theft programs. This is the third delay in enforcement of the rule due to the wide-ranging impact of the law as written by Congress and resulting confusion regarding who must comply. In fact, the rule may not apply to everyone who may be defined as a creditor by the FTC. On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. This ruling is subject to appeal and does not limit the enforcement of any identity protection requirements of state law or other regulations.

The FTC has also published an online template (6-page PDF file; About PDFs)for determining if your practice is at low risk for identity theft and, if so, to assist you in developing a program in compliance with the rule. This six-page template allows for creation of a program by filling in the blanks provided for each aspect of your program and then printing the final document for your records.

Most physician practices need to be in compliance with requirements of the final rule entitled, "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003" by the new June 1st deadline. These final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act were originally posted with a compliance date of November 01, 2008. Due to questions regarding whether physicians met the definition of creditors, this was extended pending a now complete review (9-page PDF file; About PDFs) by the FTC, which determined that many physicians are creditors and subject to the rule.

The following resources are intended to assist members in understanding the purpose of the rule, what is required in the physician practice setting, and to provide some ideas that may make compliance program development, implementation, and training less complex and more integrated with other programs, such as HIPAA privacy and security programs. We have also included some ideas for protecting the identities of physicians and staff whose identifying information may be on file in a practice.