• Red Flag Rules Implementation Date Delayed
  • November 6, 2008 | Author: Susan E. Ziel
  • Law Firm: Krieg DeVault LLP - Carmel Office
  • On November 9, 2007, the FTC issued the "Red Flag Rules" which require financial institutions and "creditors" to implement a written identity theft prevention program in accordance with the Fair and Accurate Credit Transactions (FACT) Act.  The FTC has recently taken the position that in most cases, health care providers who maintain "covered accounts" qualify as "creditors." Therefore, most health care providers will be required to comply with the Red Flag Rules.    

    Originally, the regulations required that prevention programs under the Red Flag Rules be implemented by November 1st of this year; however, the FTC has delayed the required implementation date until May 1, 2009.  While this delay allows for added time during which prevention programs can be developed, we believe that it is crucial that providers begin working to meet the regulations' requirements immediately.  Specifically, the Red Flag Rules require that the prevention program and related policy must provide for the identification, detection, mitigation and response to patterns, practices and specific red flag events that could indicate identity theft involving "covered accounts."  In addition to the program and policy implementation requirements that must be met, it is important that health care providers begin related employee training and business associate communications.