The Federal Trade Commission (the "FTC") announced today, July 29, 2009, that it will once again delay enforcement of the Red Flags Rule (the "Rule") from August 1, 2009 to November 1, 2009. In announcing the delay, the FTC indicated that its staff will redouble its efforts to educate businesses about compliance with the Rule and ease compliance by providing additional resources and guidance.
The three-month extension, coupled with the new guidance, is aimed to enable businesses to gain a better understanding of the Rule and their obligations under it. The steps taken by the FTC today are in response to the House Appropriations Committee's recent request that the FTC defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule, specifically on health care providers and small businesses with low risk of identity theft problems. The FTC announced that the new guidance will be available on its website shortly.
Under the current interpretation of the Rule by the FTC, health care providers are required to develop Identity Theft Prevention Programs that contain policies and procedures to detect, prevent and mitigate identity theft in connection with patients' accounts maintained by the health care providers. In addition, the Rule sets forth guidelines identifying the relevant warning signs-or red flags-of identity theft that should be incorporated into the Identity Theft Prevention Programs. Failure to comply with the Rule could mean administrative penalties or up to $2500 in fines per violation.
For more information about the FTC's announcement, please contact any of our attorneys at the firm's health law department, at (516) 328-2300 or (212) 279-9200.