Red Flag Rules Compliance Deadline Approaches: Providers should focus on identity theft prevention program implementation

Health care providers take note: the May 1, 2009, Red Flag Rules compliance deadline is approaching quickly. The Red Flag Rules apply to all entities that meet the Federal Trade Commission's very broad definition of a “creditor” and that maintain “covered accounts.” This includes many, if not most, health care providers.

The Red Flag Rules require those covered to develop and implement an identity theft prevention program. The four basic steps to such a program are: (1) identifying relevant red flags; (2) detecting red flags; (3) preventing and mitigating identity theft; and (4) updating the program periodically.

As a practical matter, health care providers also should verify that their identity theft prevention programs are in line with applicable state law standards governing the protection and storage of consumers' personal information, in addition to the Red Flag Rules. For example, Massachusetts recently adopted 201 MASS. CODE REGS. 17.00-.05, which imposes more onerous data security requirements than the Red Flag Rules.

The initial compliance date for the Red Flag Rules was postponed to May 1, 2009, to allow health care providers sufficient time to carefully develop and implement their programs. It is unlikely that health care providers will get a second reprieve. Now is the time to refocus attention on developing your Red Flag compliance program.

Previous related advisory bulletins

Additional information about the applicability and requirements of the Red Flag Rules may be found in the following advisory bulletins previously issued by Davis Wright Tremaine LLP:

FTC Delays Enforcement of Red Flag Rules to May 1, 2009
By Rebecca L. Williams and Brent R. Eller, Oct. 2008

Health Care Providers: Don't Miss the Red Flags
By Rebecca L. Williams and Brent R. Eller, Aug. 2008

“Red Flag” Identity Theft Programs Required by November 2008
By John D. Seiver, July 2008