FTC 'Red Flags' Rule Takes Effect May 1, 2009, Likely Applies to Your Practice

April 6, 2009


The Federal Trade Commission (FTC) "Red Flags" Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs—or "red flags"—of identity theft in their day-to-day operations. Health care providers should pay particular attention to the requirements that the Red Flags Rule applies to "creditors." The FTC has determined that physicians fall under the category of being considered creditors based on common patient billing practices.

The Red Flags Rule requires creditors and financial institutions ("covered entities") to conduct a risk assessment to determine if they have "covered accounts," which include consumer-type accounts or other accounts for which there is a reasonable risk of identity theft. If so, the covered entity must develop and implement a written Identity Theft Program ("Program") to identify, detect, and respond to possible risks of identity theft relevant to them.

The first step any business or organization should take is to determine if in fact they are deemed a "creditor" under this rule and, if so, verify whether or not you have "covered accounts" according to the provision.

Useful Resources

View information provided by the FTC on the Red Flags rule.

View an article developed by the FTC specifically to help health care providers in complying with new requirements for fighting identity theft.

Visit the AMA’s website for more information.