On April 30, 2009, the eve of the effective date of the "Red Flags Rule," the Federal Trade Commission (FTC) announced that it would again delay enforcement of the Rule until August 1, 2009 in order to allow organizations more time to develop and implement written identity theft prevention programs. The FTC also announced plans to release a template to help entities that have a low risk of identity theft, such as businesses that know their customers personally, comply with the law. This is the second delay of a rule that was originally to have been effective November 1, 2008.

The Red Flags Rule implements certain sections of the Fair and Accurate Credit Transactions Act of 2003, and requires financial institutions and creditors with covered accounts to develop identity theft prevention programs that identify, detect, and mitigate identity theft. The term "creditor" is defined broadly and applies to any entity that regularly extends or renews credit. It includes all entities that regularly permit deferred payments for goods or services, such as health care entities that bill insurers and are not actually paid until after services are rendered.

According to FTC Chairman, Jon Leibowitz, "given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further."

The FTC is clearly leaving the door open for further changes (and perhaps even reductions) to the scope and impact of the Red Flags Rule. Given the increasing incidence of and risks associated with identity theft, however, healthcare providers and other creditors can and should expect that they will be required to develop some form of an identity theft prevention
http://www.mondaq.com/article.asp?articleid=79360