The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know.

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA.