AMA   Jama & Archives  AMNews  AMPAC


Physician Resources

  • A
  • |
  • A
  • Text size
  • Print

Red Flags Rule

Protect your Patients, Protect Your Practice: What You Need to Know about the Red Flags Rule

Compliance Date: August 1, 2009

Update: The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until August 1, 2009.  The AMA will utilize this time to convince the FTC and Congress that physicians are not "creditors" and therefore should not be subject to this rule.

In November 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. In response to FTC staff indications that the FTC intends to apply the Rule to physician practices, the AMA expressed its concerns and successfully delayed implementation of the Rule until August 1, 2009. The AMA is continuing its efforts to persuade the FTC that physicians are not “creditors,” and therefore should not be subject to the Red Flags Rule. In the interim, and because of the immediacy of the August 1, 2009 implementation date, the AMA has prepared a guidance document, along with sample policies, so that members can incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies.

Red Flags Rule Guidance Document (PDF)
This informative resource addresses the following questions:

  • What is the purpose of the Red Flags Rule?
  • How do the rules differ from HIPAA Privacy and Security Rules?
  • Who has to comply with the Red Flags Rule?
  • What is a “Red Flag”?
  • How can physician practices comply with the Red Flags Rules?

Sample Policy (PDF)
This resource includes simple, customizable policies and procedures to incorporate into your practice in order to comply with the requirements of the Red Flags Rule that entities have reasonable policies and procedures in place to identify, detect, and respond to Red Flags. Also included in this policy is the FTC's Identity Theft Affidavit (PDF), which can be used by patients who may be victims of identity theft.

AMA member's can access the Word version of the Sample policy (Word) and adapt it to their individual practice.