Who Must Implement an Identity Theft Prevention Program?
Although the Red Flags Rule was issued a year ago, many health care providers (and other service providers) only recently realized that these regulations apply beyond the financial sector. These regulations apply to health care providers and institutions through the broad definitions of “creditor” and “covered account” adopted in the Red Flags Rule. The rule’s requirement to develop and implement the written Program applies to financial institutions and creditors that offer or maintain covered accounts. In determining whether the Red Flags Rule applies, health care providers and institutions must conduct a two-step analysis that determines (1) if the provider is a financial institution or a creditor, and (2) if the provider offers or maintains covered accounts. If both answers are yes, the health care provider is required to develop and implement a Program and otherwise comply with the requirements of the Red Flags Rule. Step One: Are you a “financial institution” or a “creditor?” Most
