Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, has raised a red flag of his own. “The Red Flags Rule requires creditors (which most providers are) to reasonably ensure what HIPAA categorizes as (business associates) to implement their own identity theft protection program for accounts managed by the covered entity,” he says.
The Red Flags Rule (The Rule) became effective May 1, 2008, and is significant for BAs. Apgar recommends a small, but important, addition to new BA agreements and existing ones, if necessary.
The Rule is an amendment to the Fair and Accurate Credit Transactions Act of 2003. The Rule requires financial institutions and creditors with covered accounts to establish identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.