In November 2007, the Federal Trade Commission issued a set of regulations known as the “Red Flags Rule” or the Rule requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. Due to wide confusion over who must comply with the Rule, the FTC has postponed enforcement of the Rule four separate times, with the most recent postponement issued November 1, 2009. In order to give entities more time to review FTC guidance and develop and implement mandated written identity theft prevention programs, the FTC has further delayed enforcement of the Rule until June 1, 2010.
Under the Rule, “creditors” must develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. The FTC has gone on record that healthcare entities, such as physician practices, are “creditors” subject to the Rule if they defer payment. Not demanding payment in full at the time of service, including through the billing of insurance, makes practices “creditors.”
Drafting and implementing a program to comply with the Red Flags Rule does not have to be an expensive or protracted exercise. The Rule gives practices a great deal of flexibility to design and implement programs that are appropriate to their size and complexity and the nature of their operations. The FTC’s Red Flags website offers resources to help entities comply with the Rule.
For more information, contact Jim Pyles at jim.pyles@ppsv.com.