With ambiguity over the definition of ‘creditor’ as it relates to the healthcare environment the American Medical Association (AMA) along with others cried “foul” and threw their challenge flag regarding the FTC’s Red Flag Rule. While the AMA is not against protecting patient’s privacy, details within the regulations caused some turmoil as to how this would disrupt physician practices. Delayed implementation and one lawsuit later saw the deadlines continued to get pushed back. Then in December 2010 Congress passed, and Obama signed into law, the “Red Flag Program Clarification Act of 2010.” Clarifying what creditor means, it essentially removed physicians from under the Red Flag Program. Even with this, it doesn’t mean healthcare can just ignore identify theft issues.  Even the AMA agrees. While they don’t think most physicians will fall under the redefined categories of ‘creditor’ it does provide some Red Flag Rule Guidance, sample policy, and FAQ  on their website (AMA membership required). Every organization can benefit from an identity theft prevention program and healthcare is no exception. In fact the majority of privacy breach violations are prosecuted under HIPAA anyways. With the loss of regulatory deadlines, the urgency to implement programs “formally known as Red Flag” seems to be faltering in some healthcare institutions. However the benefits of a successfully implemented identity theft program may limit losses and even gain consumer/patient confidence. With losses occurring due to bad debt and denial of payment false pretenses of identity theft (otherwise known as “I don’t want people to know it was me that was sent to the ED passed out”) a program can help successfully defend revenue recapture efforts. It also helps to curtail medical errors when individuals attempt to use another person’s medical records/insurance to obtain treatment or are merely drug seeking.  Anyway it’s sliced an identity theft program will aid any organization and many healthcare organizations are continuing forward with their programs regardless of where they are in their implementation. While the FTC continues to offer guidance HITRUST may interest healthcare organizations directly with its Common Security Framework (CSF) that has continued to gain momentum in offering a validation tool to not just Red Flag but also HIPAA and other requirements.  For those healthcare environments that have quantified the costs of resolving identity theft claims (both legitimate and not), they realize a little preventative medicine is worth it. I don’t need to remind those in healthcare that while that annual influenza shot may sting a little when you get it, it’s worth it in the long run.