on may 1, 2009, health care providers who are considered creditors should begin compliance efforts with the federal trade commission’s (ftc’s) red flags rule aimed at identity theft protection. the application of the red flags rule to some health care providers such as physicians continues to be a point of controversy, and organizations like the american medical association (ama) continue to argue against application of the rule. the ftc’s current position, however, is that the rules apply. so, for now, health care providers should take affirmative steps to document efforts to comply with the rule. a first step includes an assessment of whether the provider is a creditor with covered accounts. in short, the ftc says that if a provider sets up a payment account for a patient and waits for payment after services are rendered, they are a creditor with covered accounts. practically, that puts most providers in the creditor box. a second step would be to implement a written internal policy that causes providers and staff to look for basic “red flags” of identity theft and take appropriate action when those problems are detected. some of this may be as simple as checking a photo id at the time of service or calling the financial fraud officers within the local police department if id theft is detected. the ftc set up a red flags page with basic compliance information. to get physician providers started, the ama developed a resources page which includes basic guidance documents and a sample policy. local trade associations also should have compliance resources available for members. hopefully, these types of resources will remain easily accessible so physicians and other providers are able to conduct reasonable and low cost compliance work.