It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place. Yikes! My guess is that this will not be fully resolved by May 1, 2009. I see too many disparate opinions out there to think otherwise. I certainly see both sides. On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule. On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009? Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge.
There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be. Let me know your thoughts!