On May 1, 2009, the FTC’s Red Flag Rules (the “Rules”) regarding identity theft prevention go into effect.  The Rules require certain businesses, including health care entities, acting as “creditors” to develop and implement written identity theft prevention programs that identify, detect, and respond to patterns, practices, and activities that might indicate that identity theft has occurred  (i.e., the “Red flags” signaling identify theft).  In addition, the Rules require that an entity’s board of directors approve the identity theft prevention program and all employees receive training related to the program.
  
The Rules apply to health care entities that expressly offer financing or deferred payment plans and to those that do not require full payment up front but rather bill patients after services are rendered.  Noncompliance with the Rules may result in civil monetary penalties and enforcement action by the FTC.

We previously notified clients of the Rules in an earlier e-Bulletin, and we have been assisting health care clients with the implementation of identity theft programs that comply with the Rules to meet the May 1, 2009 deadline.  If you have questions regarding whether the Rules apply to your organization and/or if you need assistance in designing and implementing an identify theft prevention program, please feel free to contact your regular attorney at Taft.