The Red Flags Rule became effective November 1, 2008; however, the actual enforcement date has been delayed several times resulting in the current enforcement date of November 1, 2009.  Several professional organizations are “negotiating” with the Federal government in the attempt of trying to exempt physicians in the definition of “creditors”.  The Federal Trade Commission states that the extra grace period is “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”   Penalties for not complying with the Red Flags Rule are $3,500 per incident under Fair Credit Reporting.

The information provided below has been developed for small businesses who are considred “low-risk” to comply with the Red Flags  Rule.  The following is an excerpt from the Federal Trade Commission website:


Do-It-Yourself Program for Businesses at Low Risk For Identity Theft

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs – or “red flags” – of identity theft. By identifying red flags, you’ll be in a better position to spot an imposter trying to defraud you by using someone else’s identity to get products and services.

As a practical matter, most businesses and organizations that provide products and services to their customers and then bill them later are covered by the Rule. To find out if the Rule applies to you, read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business.

The Red Flags Rule gives you the flexibility to design an Identity Theft Prevention Program appropriate for your business, given its size and potential risk for identity theft. While some companies need a comprehensive Program, businesses and organizations at low risk for identity theft may find that a streamlined Program fits the bill. If you’re at low risk for identity theft, this do-it-yourself Program may be sufficient.

This streamlined program seems to be the easiest and most straightforward way to implement the RFR policy in most physician’s practices.

Some helpful resources provided by professional organizations are as follows:

American Medical Association (AMA) .

Medical Group Manager’s Association (MGMA) RFR Resource Center at .

Modern Medicine article:

Federal Register, November 9, 2007:  “Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation”