The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC’s Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC’s June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered ‘creditors’" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.