The Federal Trade Commission (FTC) granted a six-month delay in enforcement of the Identity Theft Red Flag Rule, from November 1, 2008, to May 1, 2009. Creditors with covered accounts, as defined in the rule, must implement the Red Flag Program, including, among other elements, red flag identification, policy and procedure development, board approval and staff training by May 1, 2009. As discussed in more detail in this McDermott On the Subject dated October 10, 2008, most health care providers will likely be required to comply with the Red Flag Rule. Please note that the delay does not apply to the requirement that consumer report users implement policies and procedures for handling notices of address discrepancies, which still has a November 1, 2008, deadline. Please also note that enforcement of the Red Flag Rule against credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action, nor is enforcement of address change requirements for card issuers. Health care providers should verify whether the Red Flag Rule is applicable to them and develop a compliant program without delay.