With the June 1 deadline looming for the Red Flags Rule, industry experts, say physicians should already be complying.

The Red Flags Rule requires providers, whose activities fall within the law’s definition of “creditor” and “covered account” to develop a written program to spot the warning signs of identity theft.

“The FTC’s guidelines are intended to help encourage what should already be being done,” says Scott Mitic, a national expert on identity theft and consumer credit issues and CEO of, TrustedID, a Redwood City, Calif.-based company that develops and markets identity theft solutions.

The FTC provides organizations with four steps to comply.
1. Identify the red flags of identity theft you’re likely to come across in your practice;
2. Set up a procedure for detecting them in day-to-day operations;
3. Prevent and mitigate identity theft by responding appropriately to red fags that are identified; and
4. Keep your program current and educate your staff.

Mitic says complying with the Red Flags Rule is not only “good business practice” but is also “common sense.”

Pam Dixon, founder of the World Privacy Forum, a nonprofit, public interest research group, believes there will be a long grace period for physicians, and they will have ample time to comply.

“Compliance is not onerous,” she says. “There is very little work in terms of making sure there is a plan.”

But the American Medical Association, (AMA), the largest association of physicians and medical students in the United States, is opposed to having health professionals included in the rule. The AMA has put a “black eye” on the rule, says Linda Foley, founder of the Identity Theft Resource Center, a national victim assistance and public education organization established in response to an epidemic rise in identity theft crimes.

She says these organizations believe the FTC has overreached its authority. And given the result of recent litigation against the FTC by the American Bar Association, which ruled that lawyers should be exempt from the rule, the AMA believes healthcare professionals should be excluded as well. 

“The court ruling sends a clear signal that the FTC needs to re-evaluate the broad application of the Red Flags Rule,” said AMA President J. James Rohack, MD.

“It is incredibly important for healthcare professionals to have an identity theft plan in place,” says Dixon. “The AMA does not understand the gravity of medical identity theft. It would be a mistake to push back this regulation.”
Nearly 5 percent of identity theft victims have experienced some form of medical identity theft, according to a survey by the FTC.

“Cyber crime is a reality in the digital age,” Foley says.

The use of electronic medical records has also contributed to medical identity theft happening on a much broader scale, says Dixon.

“We can’t protect all the information from hacking and from an insider, but the goal is to limit opportunities,” said Foley.

Mitic says that an investment in fraud detection software is unnecessary. 

The Red Flags Rule is about taking a look at HIPAA compliance and modifying that to comply with the rule, said Dixon. She doesn’t believe there is a software package that would necessarily help with compliance.