The Federal Trade Commission has pushed back the compliance deadline for its identity theft “red flag” rules. The original deadline was less than two weeks away. The new deadline is May 1, 2009.

The red flag rules require businesses that extend credit to their customers to develop and implement written identity theft prevention programs. Healthcare organizations fall under the rule, say attorneys.

The FTC released the final rules in November 2007. The requirement calls for a creditor to “provide for the identification, detection, and response to patterns, practices, or specific activities—known as ‘red flags’—that could indicate identity theft.” The rules apply to “financial institutions and creditors with covered accounts.”

In part, the FTC defines a creditor as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.” A covered account is one “used mostly for personal, family, or household purposes, and that involves multiple payments or transactions.” FTC notes that accepting credit cards does not necessarily make an entity a creditor.

The final rule and other guidance are available from the FTC.