The April 30, 2009 edition of the Long Term Care Newsletter contained an article regarding the new “Red Flags Rule” being implemented by the Federal Trade Commission (FTC). The Red Flags Rule will affect nearly half of the healthcare providers in America, and will require written procedures and policies pertaining to identity theft. The implementation date had previously been extended from November of 2008 until May 1, 2009. Late on April 30, 2009, after the Long Term Care Newsletter had been mailed, the FTC announced that it was extending the implementation three months from May 1, 2009 to August 1, 2009. The announcement did not affect other federal agencies’ enforcement of the original November 2008 compliance deadline.
The FTC explained that it was delaying enforcement of the new “Red Flags Rule” until August 1, 2009 so as to give creditors and financial institutions more time to develop and implement the written identify theft prevention programs, which we described in the April 30, 2009 Long Term Care Newsletter.
Notably, the FTC also indicates that for entities with a low risk of identity theft, such as business that know their customers personally, it will soon release a template to help with compliance.
The FTC’s explanation further questions whether or not Congress intended to write its rule as broadly as it has been interpreted, and in a very frank statement, the FTC Chairman Leibowitz said that the extension was also designed to give Congress and opportunity to reexamine the issue.
Long term care clients should continue preparing to implement the Red Flags Rule, and should now be targeting the August 1, 2009 date. The reprieve is welcome considering many entities had yet to finalize their written program. Additional information should be reviewed at: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule, including the FTC’s templates for “low risk” entities.