New law requires medical practices to adopt ID theft-prevention programs

Most practices will be required to have a plan in place by May 2009 to alert them to signs of potential theft of their patients' identities and to help prevent spread of the crime, according to a ruling by the Federal Trade Commission.

The so-called "Red Flag" rules were initially believed to apply only to financial institutions, but the FTC classifies health-care providers with other types of creditors, which means they must implement the requirements to prevent ID theft, according to experts.

"We've spoken to them, and they are taking the position that these rules definitely apply to health-care providers," says Joshua Freemire, a health-care attorney with Ober Kaler, a Baltimore law firm. Enforcement was set to begin last month, but the FTC granted a six-month extension to allow affected organizations to prepare.

"A one-and two-doctor practice's policy will understandably be less complex than a multispecialty group practice," he says. "The smaller practices should at least consult their attorney."

For more information on the warning signs of ID theft, go to http://www.memag.com/identitytheft.