Prepared by the American Medical Association 2009.
AMA identity theft prevention and detection and Red Flags Rule compliance:
Please note: The information provided in this document does not constitute, and is no substitute
for, legal or other professional advice. Seek consultation from legal or other professional
advisors for individualized guidance regarding the application of the law to your particular
situation or regarding other compliance-related concerns.
To customize this template document, replace the text in brackets (e.g., [text in brackets]) with
text that is appropriate to your practice and circumstances. After customizing this document, it is
advisable to have it reviewed by an attorney who is familiar with health privacy laws and
regulations in the state(s) in which your practice is located and who is in a position to provide
your practice with legal counsel.
To the extent possible, you should reword each section to reflect the specific procedures to be
followed in your practice, and be sure to incorporate applicable state laws. In addition, you may
decide that certain functions may only be performed by certain personnel, within certain
departments or with a certain form of management approval. When appropriate, you may wish to
include sanctions provisions. Sanctions are the disciplinary measures to be taken in the event of
careless disregard or deliberate violation of any of these provisions. You may also wish to keep
the documentation of sanctions in a separate sanctions policy.
[Physician practice name]
Policies and procedures
Identity theft prevention and detection and Red Flags Rule compliance
It is the policy of [physician practice name] to follow all federal and state laws and reporting
requirements regarding identity theft. Specifically, this policy outlines how [physician practice
name] will (1) identify, (2) detect and (3) respond to “red flags.” A “red flag” as defined by this
policy includes a pattern, practice, or specific