As stated in an earlier posting, healthcare providers should ensure appropriate compliance with the Red Flags Rule. There continues to be healthy debate as to what level of applicability the Red Flags Rule has in this market. That said, the link below, to a recent article by the FTC, highlights some relevant points to think about as healthcare providers consider whether or not they are ‘covered’ and, if so, the appropriate measures to be taken in developing their Identity Theft Prevention Program.
Of note, the article points out that "health care providers are creditors if they bill consumers after their services are completed. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. However, simply accepting credit cards as a form of payment does not make you a creditor under the Red Flags Rule."
Based on this definition, it appears to some extent, that the majority of healthcare providers will be covered under the Red Flag Rule as creditors.
I encourage you to have a look at this article if you are still on the fence:
http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm