FTC Suspends Enforcement of Red Flags Rule Until August 1

On April 30, 2009, the Federal Trade Commission (FTC) announced that it will delay enforcement of the "Red Flags Rule" (Rule) until August 1, 2009, to give affected institutions, including some health care providers, additional time to develop and implement written identity theft prevention programs.

The Rule requires "creditors" who maintain "covered accounts" to implement a written identity theft prevention program. Health care providers that bill insurance companies before requesting payment from the patient or offer alternative payment plans to a patient will be considered a creditor under the Rule.

A health care provider offers or maintains covered accounts if the provider establishes a continuing relationship with a patient and creates or maintains an account for such patient that allows for multiple payments or transactions. Covered accounts also include any accounts that the health care provider creates or maintains for which there is a reasonably foreseeable risk to patients of identity theft, including patient billing or payment accounts.

Health care providers should review the requirements of the Rule and, if affected, work with legal counsel to implement a compliant program before August 1, 2009.

For more information, please visit the FTC Web site.