The Federal Trade Commission (FTC) issued sweeping regulations in 2007 aimed at preventing identity theft. Two provisions of these rules, known as the “Red Flag Rules,” can apply to health care entities. The first provision, requiring address checks for anyone who uses “consumer reports” for employment, insurance or credit purposes, became effective November 1, 2008. A second major component of the Red Flag Rules requires any business that is a “creditor or financial institution” to have written processes and procedures in place to detect, prevent, and mitigate identity theft in relation to accounts covered under the regulations. Enforcement of this provision has been delayed until May 1, 2009. Health care providers can be impacted by this provision if they do not require payment at the time services are provided, or if they are paid by an insurer after services are rendered. The FTC has issued a “How-To-Guide for Business” with information on how to determine if the Red Flag rule applies to your business; tips on compliance; and information on how to put in place a written identity theft prevention program.