On Nov. 9, 2007, The Federal Trade Commission (FTC) created the Red Flags Rule requiring creditors to develop and implement written identity theft prevention programs within their organizations. The rule defines a “Creditor” any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit. Because physicians do not generally collect payment in full at the time of service, The FTC has informally indicated that the Red Flag Rule requirements will likely apply to physician practices. Although some physician advocate groups such as the AMA have challenged this assertion, at present the FTC has not exempted physicians from the definition of Creditors. The compliance date in the regulations was originally November 1, 2008 but has been extended to August 1, 2009. Accordingly, physicians need to begin familiarizing themselves with the Red Flag Rule and should plan on becoming compliant by August 1.
Among other things, the Red Flag Rule requires “Creditors” to implement a written identity theft prevention program which includes reasonable policies and procedures to: (i) identify relevant red flags and incorporate those red flags into the program; (ii) detect red flags that have been incorporated into the program; (iii) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and (iv) ensure the program is updated periodically to reflect changes in the risks of identity theft. Although the regulations are fairly complex, implementing a workable program should not be overly burdensome for most practices. As the Red Flag Rule compliance date approaches, we at Fox Rothschild LLP will be developing cost effective resources to assist practices in developing compliant identity theft prevention programs. In the meantime, if you have questions regarding the Rule, please contact us here.