May 1, 2009
As we have explained in prior alerts, the Rules require certain businesses, including health care entities, acting as “creditors” to develop and implement written identity theft prevention programs that identify, detect, and respond to patterns, practices, and activities that might indicate that identity theft has occurred (i.e., the “Red flags” signaling identify theft). In addition, the Rules require that an entity’s board of directors approve the identity theft prevention program and all employees receive training related to the program.
The Rules apply to entities that expressly offer financing or deferred payment plans and to those that do not require full payment up front but rather bill patients after services are rendered. Noncompliance with the Rules may result in civil monetary penalties and enforcement action by the FTC.
The latest reprieve gives companies subject to the Rules additional time to come into compliance. If you have questions regarding whether the Rules apply to your organization and/or if you need assistance in designing and implementing an identify theft prevention program, please feel free to contact your regular attorney at Taft.