Article Text

Download PDFPDF
The Red Flags Rule: controversy over application to physicians
  1. Stephanie A Cason,
  2. Robert M Portman
  1. Powers Pyles Sutter and Verville PC, Washington, District of Columbia, USA
  1. Correspondence to Robert M Portman, 1501 M Street, NW, Seventh Floor, Washington, DC 20005, USA; rob.portman{at}

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

In November 2007, six federal agencies, including the Federal Trade Commission (FTC), issued final regulations to deal with the risks of identity theft and develop plans for mitigating these risks as mandated under the Fair and Accurate Credit Transactions Act.1 These regulations, collectively referred to as the Red Flags Rule,2 became effective 1 January 2008 with mandatory compliance required by 1 November 2008. However, owing to wide confusion over who must comply with the Red Flags Rule, the FTC has repeatedly delayed enforcement. On 28 May 2010, the FTC announced it would delay enforcement of the Red Flags Rule through 31 December 2010 while Congress considers legislation that would exempt certain entities, including physicians, from having to comply.3 The application of the Red Flags Rule to physicians is also being challenged in court. In the meantime, physicians should be preparing compliance plans in case the court challenges fail.

The NeuroInterventional (NI) community of physicians has historically functioned in a hospital-based setting. As such, many NI physician practices will be able to rely on the support of their hospital to provide mechanisms to comply with emerging regulations such as the Red Flags Rule. Therefore, as with other regulatory compliance burdens, NI physicians, depending on their model of practice, will have to invest variable amounts of time and resources to ensure their proper compliance.

Background on Red Flags Rule

Under the Red Flags Rule, “creditors” must develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The definition of “creditor” did not originally appear to apply to physicians. However, the FTC has made repeated statements that the Red Flags Rule does apply to them. In March 2009, the FTC published a …

View Full Text


  • SAC, and RMP, are attorneys with Powers Pyles Sutter & Verville PC, a Washington, DC law firm that focuses on health and education law and tax-exempt organizations. PPSV is legal counsel for the Society of NeuroInterventional Surgery.

  • Provenance and peer review Commissioned; not externally peer reviewed.