The ‘Red Flags’ Rule

Has a new patient given you identification documents that look altered? Does a patient complain about getting a bill for a service that he or she didn’t receive? Is there an inconsistency between a physical exam or medical history reported by the patient and the patient’s actual treatment records? These are just some of the “red flag” situations that may be signals of medical identity theft. 

To help prevent and mitigate instances of medical identity theft, the Federal Trade Commission (FTC) is enforcing the Red Flags Rule as of June 1, 2010.* This Rule requires certain businesses and organizations—including many doctors’ offices, hospitals, and other health care providers—to develop a written program to help detect identity theft warning signs in day-to-day operations. 

The FTC has developed a variety of resources to assist you with Red Flags Rule preparation and compliance. We encourage you to visit the FTC website , where you will find the following helpful resources: 

  • Fighting Fraud with the Red Flags Rule: A How-to Guide for Businesses—This thorough guide will help you determine if the Rule applies to your practice, learn how to identify and handle suspicious situations, and find out how to implement a written Identity Theft Prevention Program.
  • Getting Red Flags Ready Video—This presentation provides an overview of the Rule along with practical tips on spotting identity theft red flags, taking steps to prevent escalation and mitigating damage.
  • Do-it-Yourself Template for Low-risk Businesses—This online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program so that you can share details with your staff. 

If you have any questions about the Rule, you may send an email to

*The previous enforcement date was Aug. 1, 2009. 

This material is for informational purposes only, and is not the provision of legal advice. If you have any questions regarding this law, you should consult with your legal advisor.