President Signs Red Flags Rule Clarification Act Into Law

The “Red Flags” Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts. By identifying red flags in advance, organizations are better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

The Red Flag Program Clarification Act of 2010 was the result of continued confusion over which businesses were required to implement Red Flags Rule Programs designed to prevent and mitigate the risk of identity theft by the end of the year. The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

The bill amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. This definition in effect excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the limitation was to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft, including creditors which use consumer reports, furnish information to consumer reporting agencies, or loan money to individuals.

For healthcare organizations that have developed and implemented the Red Flags rule, experts point out that you still have a duty to safeguard the confidentiality of protected health information, and an organization that had a policy in place and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft and didn’t. We recommend reviewing your policies and procedures regarding identity theft prevention.

You can find practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts. Learn how to put in place your written Identity Theft Prevention Program at

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us