FTC Red Flags Rule Deadline is December 31, 2010
June 1, 2010
At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.
Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: "creditor" and "covered account."
The Rule is designed to reduce the overall incidence and impact of identity theft and the FTC has made it clear that this includes physicians and related health care providers, among other individuals and businesses deemed as "creditors" to develop and implement a formal written program to detect, prevent and mitigate identity theft, including medical identity theft.
The red flags rules apply to "financial institutions," and "creditors" with "covered accounts."
Physicians will fall under the creditor classification – a creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
To be compliant under the red flags rules, financial institutions and creditor must develop a written plan that identifies and detects the applicable warning signs or "red flags" of identity theft. Such as:
- unusual account activity
- fraud alerts on a consumer report
- any attempted use of suspicious account application document
- how the business entity will respond to the detection of red flags, and
- provide necessary measures for continued oversight and updating.
By identifying red flags in advance, rheumatology practices will be better equipped to spot suspicious patterns when they arise and take steps to prevent a "red flag" from escalating into a costly episode of identity theft.
The FTC will also be the agency that enforces the Rules for the health care sector. When the FTC begins enforcing the Rules, failure to comply could lead to administrative penalties or up to $3,500 in fines per violation.
Physicians and their staff can download a "How-to-Guide for Business" at http://www.ftc.gov/redflagsrule - the guide describes the entities that are covered by the Rule and provides information to help develop identity theft prevention programs.
Additional questions or concerns can be e-mailed directly to the FTC at or contact Melesia Tillman, CPC, CRHC, CCP at
