HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Service providers with Red Flags Rule

Email This Post Print This Post

Q. The Red Flags Rule references service providers. What are examples of service providers?

A. The Red Flags Rule defines a service provider as “a person that provides a service directly to the financial institution or creditor.” For providers required to comply with the rule, this includes business associates (BAs) such as billing agencies, collection agencies, auditors, and software vendors with access to the billing systems.

Creditors—in this case, providers—must reasonably ensure that service providers implement an identity or medical identity theft prevention program. Practically speaking, this means amending BA contracts to include this new requirement.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.


Leave a Reply