Red-flag rule postponed again

Physicians have received yet another extension in the deadline for complying with the "Red Flags" rule requiring programs to guard against identity theft. The Federal Trade Commission (FTC), the agency which developed the rule and is responsible for implementing it, announced in late July that it was moving the deadline for compliance from August 1 to November 1.

The rule requires businesses that extend credit to customers – which, under the FTC’s definition, includes most physicians practices -- to develop written plans for identifying and responding to warning signs – red flags – of identity theft. Such signs include alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious forms of personal identification; and notifications from customers, victims of identity theft, or law enforcement authorities about possible identity theft.

Health care professionals led by the American Medical Association have vigorously sought to persuade the FTC that they should not be covered under the Red Flags rule. In February, 49 medical societies and all 50 state medical societies stated their objections in a letter to FTC Chairman William Kovacic.

The rule was originally to take effect November 1, 2008. The deadline was subsequently extended to May 1 and then August 1.