Health Care Providers not Exempt from 'Creditor' Rules
Under the Red Flag rules, a "creditor" is "any person or business who arranges for the extension, renewal or continuation of credit" with a "covered account." An "account" means a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property. A "covered account" is: (1) an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk to customers, or the safety and soundness of the creditor, from identity theft, including financial, operational, compliance, reputation or litigation risks.
Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts:
- The methods it provides to open its accounts;
- The methods it provides to access its accounts; and
- Its previous experiences with identity theft.
There are a number of other requirements and health care providers are not exempt from these requirements, so an examination of whether the regulations are applicable is important and timely given the pending deadline.