Q. The Red Flags Rule references service providers. What are examples of service providers?
A. The Red Flags Rule defines a service provider as “a person that provides a service directly to the financial institution or creditor.” For providers required to comply with the rule, this includes business associates (BAs) such as billing agencies, collection agencies, auditors, and software vendors with access to the billing systems.
Creditors—in this case, providers—must reasonably ensure that service providers implement an identity or medical identity theft prevention program. Practically speaking, this means amending BA contracts to include this new requirement.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.