Article Summary: The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.